This blog is contributed by guest author Joy Ditto. Joy is an influential leader in the power industry and is a stragic advisor to Industrial Defender.
As we begin a new year, pundits and experts across the cybersecurity landscape are making predictions. What are the likely trends for 2024 to protect critical infrastructure and information from compromise? Where and how are new threats emerging? Which known (persistent) threats are of most concern and from where are they originating?
Making predictions requires looking back and analyzing past actions, threats, and situations. Case in point, the National Security Agency’s (NSA) Cybersecurity Directorate recently released its 2023 Cybersecurity Year in Review, in which it highlights significant actions it took to enhance cybersecurity in the past year. According to Rob Joyce, Director of NSA Cybersecurity (I have bolded some points of interest):
“The NSA Cybersecurity Directorate was established with the intention of connecting to industry and other partners. […] Working with industry and international partners, we identified indicators of compromise associated with a People’s Republic of China (PRC) state-sponsored cyber actor using living off the land techniques -- using built-in network tools to evade defenses without leaving a trace-- to target networks across U.S. critical infrastructure. We benefitted from multiple private sector entities to better understand this threat and released guidance to help network defenders hunt and detect this type of malicious activity on their systems and critical networks. Working with partner agencies also allowed us to identify a sophisticated Russian cyberespionage Snake malware tool being used in over 50 countries worldwide. Together, we attributed Snake operations to a known unit within Center 16 of Russia’s Federal Security Service.”
“One emerging threat – and opportunity – is Artificial Intelligence (AI). […] NSA’s recently established Artificial Intelligence Security Center within our Cybersecurity Collaboration Center is the Agency’s new focal point to apply the unique insights from NSA signals intelligence and technological expertise, while collaborating with industry to help industry counterparts understand, prevent, and mitigate – threats in the AI ecosystem. […] We also made progress in the marathon to transition to quantum-resistant cryptography to protect our networks. […] In the end, these significant outcomes are powered by the folks at NSA and our partner organizations who innovate, come up with brilliant ideas, and act on them with urgency to secure our Nation and our partners now and in the future.”
(From “A Letter from the NSA Cybersecurity Director” in NSA Cybersecurity Year in Review (pg.4). Retrieved from https://media.defense.gov/2023/Dec/19/2003362479/-1/-1/0/NSA%202023%20Cybersecurity%20Year%20In%20Review.PDF)
Just in this overview by Director Joyce, I note four major government focal areas which, in turn, impact critical infrastructure, including the electric sector.
1) Through an expanded Cybersecurity Collaboration Center (CCC), NSA is interfacing with other agencies, beyond just the traditional intelligence communities, including the Department of Energy, and certain sectors. While primarily focused on the Defense Industrial Base, the CCC also includes a number of solutions providers/entities such as cloud-based services, incident response entities, content delivery networks, operational technology security firms, threat intelligence entities, network security providers, internet service providers, and endpoint protection solutions providers. Many of these entities also provide their services to electric sector owners and operators while threat intelligence entities such as the Electric Sector Information Sharing and Analysis Center (E-ISAC) and Multi-State ISAC (MS-ISAC) bidirectionally engage with the sector.
This enhanced work is related to the first question I asked at the outset – what trends help us mitigate threats against critical infrastructure sectors? Certainly, the NSA’s focus on expanding its collaboration and partnerships is intended to mitigate such threats. And I like NSA’s acknowledgment throughout the report that the private (non-federal government) sector – that own the vast majority of our critical infrastructures - has proved to be extremely helpful in identifying and troubleshooting problems. The only issue I see with the CCC is that it is yet another place to “be.” Meaning, the sector has to ensure that people are in the room (the E-ISAC, for example) and then, that whatever information is being shared can be disseminated in an actionable way. This is on top of the several other places in the federal government where industry is expected to engage or should engage, given what’s being done/discussed in these forums. For example, the Department of Energy’s Energy Threat Analysis Center (ETAC), the Department of Homeland Security’s Cybersecurity and Infrastructure Security’s (CISA) Joint Cyber Defense Collaborative (JCDC), and the National Cybersecurity and Communications Integration Center (NCCIC), among others.
But, also, that whoever else may be in the room beyond the E-ISAC as a representative of the electric sector is representing the sector accurately so as to be helpful rather than potentially unintentionally harmful. What I mean by this is that the sector is complex and diverse and, if not fully understood, could create confusion for either threat mitigation or in a crisis/response-type situation. It’s important for cyber experts at utilities to work with the E-ISAC, trade associations, each other, and trusted vendors to ensure the geographic, size, and business model diversity inherent in our sector is well represented in these spaces.
2) Persistent threats continue, especially from nation states. In addition to the usual actors, we also see news of emerging threats, and increased targeting of water utilities, utilizing tools and components developed in other nations. Despite some recent media reports that seemed to imply this is a new phenomenon, nation states have long targeted and infiltrated critical infrastructure of all types and via many different pathways, requiring ongoing vigilance to detect and mitigate these stealth attacks. A recent nation-state infiltration used existing pathways and configurations within U.S. systems to get in and then evade identification and capture – but the effort was discovered through vigilance by both government cybersecurity professionals and those in the private sector. There was also foreign-developed malware that was bolder and, one could speculate that this led to its eventual detection across the globe, highlighting the importance of strategic collaboration with our allies. No doubt these bad actors will keep trying to infiltrate our defenses and critical infrastructure in 2024. Regardless from where the particular nation-state or attacker hails, the bottom line is the need for ongoing vigilance and commitment to protecting our nation’s critical infrastructure.
3) The pros and cons of AI are acknowledged in the report – just like the downside of digitalization (data delivered over communications networks that interacts with critical infrastructure via industrial control systems, sensors, etc.) is the need to protect communications networks from bad actors via cybersecurity; the downside of AI is the same. For example, on the one hand, AI could enable instantaneous remediation of an identified cyber vulnerability, while on the other hand it could create just such a vulnerability. The work being done with the public communications sector and the owners of private comms networks to secure the networks themselves (5G, in particular) and cloud services is heartening. This is an evolving field on both sides of the coin, and I’m positive much more is to come in 2024. On a related subject, the development of a “cryptanalytically relevant quantum computer” could uncover our national secrets. NSA is working to ensure that potential threat is mitigated before the full capability is reached. “Protecting the protection,” as it were.
4) OT environments need ongoing prioritization. On page 18 of the report, NSA notes: “To that end, NSA released a repository for OT intrusion detection signatures and analytics to the NSA CyberGitHub. The capability, known as ELITEWOLF, can enable defenders of critical infrastructure, the defense industrial base, and national security systems to identify and detect potentially malicious cyber activity in their OT environments.” This goes directly to the need for strong cyber asset management on an ongoing basis such that, when these potential threats are identified by NSA, electric utilities (and other critical infrastructure sectors) know where to look for them, when changes have been made to their assets, and what to do to mitigate, if needed for those with the resources and technology to truly utilize ELITEWOLF or similar offerings from others agencies and entities.
In conclusion, the past is prologue, always. What happened in 2023 in these four areas will continue to be relevant, at least at the macro level, into 2024 and beyond. Two out of the four – items 2 and 4 – have been front and center for at least 15 years, but with a strong evolution in terms of prevention, detection, and mitigation from both the private sector and the government. The increased focus on collaboration described under #1 has evolved and is very robust in certain sectors, but I have seen much more focus on this by the “three-letter agencies” in recent years – heartening for critical infrastructure in many ways, but also important that these same agencies truly understand these complex sectors, especially electricity and others where an entity might in fact fall under multiple CI sectors. Hence, the need for agencies like DOE to be involved at all levels and for well-informed industry representatives to be in the room as well. The emerging areas of AI and quantum computing are going to take up a lot of time in 2024, as they should, but the electric sector must balance that focus with prioritizing our fundamentals, like continuing to secure our OT environments.
Finally, other fundamental cyber issues will continue into 2024 such as cyber-supply chain security, protecting against insider threats, maintaining the basics of cyber hygiene such as the standards and models developed by NERC and NIST, and continuing to ensure the physical security of our digital/cyber assets. We need to keep up with these “old” threats and challenges, while tackling the new in 2024.