When the term “critical infrastructure” is mentioned in conversation, thoughts immediately turn to things like electrical power plants, oil and gas pipelines, food, water, etc. You know, the foundational services of modern life that we all take for granted. These are the same industries that former Defense Secretary Leon Panetta was referring to when he warned of the possibility of a “cyber-Pearl Harbor” back in 2012. Panetta stated:
"An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical (railroad) switches…they could derail passenger trains or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities or shut down the power grid across large parts of the country."
While some experts dismiss the concept of a cyber-Pearl Harbor, few would argue that U.S. critical infrastructure organizations are under attack. According to ESG research, 68% of critical infrastructure organizations have experienced one or several security incidents over the past two years and many of these events led to the disruption of critical applications, business processes, or operations (note: I am an ESG analyst).
Given this risk, you’d think that critical infrastructure organizations would do all they can to harden their IT and operational technology infrastructure and only buy products and services from vendors that take cybersecurity seriously. Unfortunately, this doesn’t appear to be the case. According to ESG research, an astonishing 58% of critical infrastructure organization use products or services from IT vendors whose products and/or services come with some types of security risk.
What types of security risks? Product issues like a lack of stringent security testing of software code that could lead to extremely buggy and vulnerable software. As for process issues, think of IT vendors with negligent physical security, no background checks for employees, no cybersecurity training for software developers and field engineers, informal patching schedules – you get the picture.
Holy cow! Why would more than half of critical infrastructure organizations still purchase and deploy products and services that they believe are insecure? Based upon our research, I think this behavior is driven by factors like:
- Haphazard vendor auditing. Most critical infrastructure organizations do audit the security of their strategic IT vendors, but they do so on an informal and inconsistent basis. They also base their audit process on point-in-time paper-based audit forms (typically issued on an annual basis) rather than any type of real-time analysis. This means that once a vendor actually “passes” a security audit, critical infrastructure organizations have no visibility into their cybersecurity status for a year’s time. This ain’t exactly continuous monitoring. (Note that new intelligence vendors like BitSight and SecurityScorecard are designed to bridge this gap by providing real-time intelligence for activities like IT vendor risk management.)
- A chasm between cybersecurity and purchasing managers. Remarkably, only 51% of critical infrastructure organizations have formal processes for procurement that includes cybersecurity metrics for IT vendors. This means that purchasing managers have the discretion to buy products and services from IT vendors that actually fail their security audits. Yikes!
- A business-first mentality. When it comes to new business processes or leading-edge applications, cybersecurity still takes a back seat to feature/functionality and speed of deployment. Yeah, I get it – this mindset has existed throughout the history of IT. Nevertheless, it’s simply incredible to me that many critical infrastructure organizations continue to eschew IT risk in spite of the volume and sophistication of modern cyber-attacks.
As a cybersecurity professional, I work in Washington a fair bit, so I certainly understand why anyone would be reluctant to see new types of cybersecurity legislation imposed on the U.S. critical infrastructure by dysfunctional and relatively ignorant government bodies. That said, ESG research reveals that the firms providing us with electricity, fuel, food, and water continue to make risky bets on IT security that could really make our lives miserable if International relations get increasingly ugly. It seems to me that a sober, intelligent, and comprehensive dialogue on cybersecurity legislation is certainly warranted here.
Want to know more about cyber supply chain issues in the U.S. critical infrastructure? The report is available for free download here.