On July 23, 2020, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), joined by the National Security Agency (NSA), issued a cybersecurity alert to operators of critical infrastructure. This cybersecurity alert outlines a series of “immediate actions” companies should take to reduce the risk of operational interference resulting from cyberattack. Unlike the bulletin issued by the Department of Homeland Security in January of 2020, which warned of potential attacks by Iran in retaliation for United States’ killing of Major General Qasem Soleimani, the recent jointly-issued alert does not identify any specific individual or nation-state actor. Instead, the alert acknowledges, only in general terms, that this as a “time of heightened tensions.”
The alert identifies types of cyberattack activity recently observed, including spearphishing, utilizing commonly used ports, and use of vendor engineering software and program downloads. It then provides a detailed list of specific actions that companies should take, grouped under these broad operational areas:
- Have a resilience plan for operational technology (“OT”);
- Exercise your incident response plan;
- Harden your network;
- Create an accurate “as-operated” OT network map immediately;
- Understand and evaluate cyber-risk on “as-operated” OT assets; and
- Implement a continuous and vigilant system monitoring program.
In the energy space, owners of critical infrastructure assets have seen an unprecedented uptick in recent years of hacking and phishing attempts, including denial of service (“DoS”) attacks which are aimed at exploiting vulnerabilities in an entity’s firewall. In a DoS attack, multiple systems flood the network of a targeted system with traffic, usually one or more of its web servers, and disrupt service with the goal of rendering it unavailable to its intended users. A DoS attack on a generation facility could leave the grid operator without visibility for a prolonged period into the power operations generating hundreds of megawatts of electricity. The inability to monitor and manage power availability real-time raises the possibility of outages or blackouts. The majority of the attacks are smaller in scale, primarily aimed at disrupting communications, and have not resulted in any serious disruptions to service. High-profile events in Saudi Arabia (2017), Ukraine (2015, 2016), and South Korea (2014), demonstrate, however, that such serious disruption is possible.
The joint alert underscores the continued vulnerability of critical infrastructure to cyberattack and the need for, as stated in the alert, “continuous and vigilant monitoring” in an effort to prevent significant disruption to the nation’s bulk power supply.