It is not the federal government that’s responsible for the cyber defense of critical infrastructure. The responsibility falls on the critical infrastructure operators themselves and most aren’t equipped for the fight. Cyber threats to the United States' critical infrastructure are on the rise. On 31 January 2024, FBI Director Christopher Wray testified before Congress, highlighting how Chinese government hackers are attempting “‘to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous.’” In April 2024, the North American Electric Reliability Corporation (NERC) stated that “US power grids are increasingly vulnerable to cyberattacks, with the number of susceptible points in electrical networks increasing by about 60 per day,” per reporting by Reuters.
These attacks are not confined to the electric grid. In April, a cyberattack on the water system in Muleshoe, Texas, led to the overflowing of a tank. The cyberattack was later attributed to Russian hackers. Similarly, a 2017 hack of the Wolf Creek nuclear power plant in Kansas was traced back to Russian hackers, and a near disaster occurred in 2013 when Iranian hackers infiltrated the control systems of the Bowman Avenue Dam in New York, almost causing a flood in a small town.[1]
A 2024 analysis by Rand emphasized the importance of a whole-of-nation defense strategy for protecting critical infrastructure. The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) was created to deliver a broad mission. The CISA states on its website: “We lead the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure.” But the CISA has a narrow charter and limited capacity. It provides insights and expertise in the form of standards and education, as well as intelligence sharing, to keep operators apprised of current threats and actors. Both are useful enablers, but the actual defensive operations are conducted solely by the operators. The risk to critical infrastructure is escalating rapidly, and many operators are ill-equipped to defend themselves independently. We must reconsider our defense strategy for critical infrastructure, transitioning from an every-company-for-itself approach to a more pragmatic collective defense model.
Consider Energy and Water Critical Infrastructure - To understand the context, note that the private sector owns over 80% of the country’s energy infrastructure, according to the CISA. Per CISA research, the electricity, oil and natural gas sectors comprise 3,273 traditional electric utilities and 1,738 non-utility power producers. CISA also estimates there are 153,000 public drinking water systems serving 80% of the US population. Additionally, there are 16,000 publicly owned wastewater treatment systems, serving 75% of the US population.
These roughly 175,000 individual entities provide essential services for human health and safety, commerce and national defense. The uncomfortable reality is that each entity is responsible for its own cyber defense.
Why Smaller Operators Are More Vulnerable to Attacks - Critical infrastructure operators vary widely in their defense capabilities. In my experience, large companies in the utility and oil and gas sectors are sophisticated in their cyber defense, whereas small utilities (electric, gas and water) often struggle. Why? Money. Security budgets scale with company size, meaning smaller companies have smaller security budgets. Despite facing the same sophisticated threats, small companies are at greater risk due to their limited defenses, making them more attractive targets for attackers.
To understand the economics of cybersecurity, consider that the average IT budget for mid-sized energy and water operators is about 2% of revenue, according to proprietary research conducted by my firm. For a $1 billion company, this equates to roughly $20 million per year in IT costs. Cybersecurity budgets are often 20% of IT budgets for this market segment, translating to $4 million per year. Much of this $4 million is consumed by fixed overhead costs, executive and team salaries, basic security tools, training, etc., leaving little funding to purchase and operate sophisticated tools needed to defend critical assets against persistent and creative attackers.
Failure Can Cost More Than Money - Cyberattacks can result in high recovery costs and long-term damage. According to IBM’s 2024 “Cost of a Data Breach Report,” the energy sector has the fifth-highest data breach costs of all industries at $5.29 million. The damage isn't just financial. Attacks on IT assets can result in data loss, technology destruction and tarnished brands. Additionally, suddenly losing access to the industrial control systems that operate complex machinery could result in the loss of control of the machines themselves, potentially causing explosions and fires in gas pipelines, catastrophic damage and outages in electrical utilities and under or over-treated water in purification systems, risking customer health and safety.
The Government Doesn’t Really Defend Cyber Critical Infrastructure - You might ask, “Can’t the government fully defend critical infrastructure on its own?” Unfortunately, the answer to that is, “Not really.” Despite the significant risks to society, the protection of critical infrastructure primarily falls on the roughly 175,000 public and private operators. The US government (USG) cannot and will not fully defend individual assets for several reasons. As General Michael Hayden, the former director of the NSA and CIA, stated (paywalled), “‘The cavalry ain’t coming.’” Critical infrastructure operators are responsible for their own defense.
No USG department or agency has the charter and capacity to defend cyber assets like the Department of Defense defends the physical homeland. The FBI investigates cybercrimes after they occur, and the NSA gathers intelligence, but for the benefit of the USG itself. The DHS has a significant role in defending critical infrastructure, but that is shared with other federal, state and local entities and tends to be mostly focused on defense from physical attacks rather than cyberattacks. The CISA, created under the DHS in 2018, helps with cyber defense, but its activities are heavily focused on standards, information sharing and the overall enablement of civilian self-defense. Even if the USG wanted to provide robust cyber defense, the Fourth and Fifth Amendments pose significant challenges. The Fourth Amendment protects against unreasonable searches and seizures, meaning the USG cannot defend a company’s critical assets without approval. There are two primary barriers here. First, the USG would need the approval of thousands of operators an untenable administrative morass. Second, asset operators are likely to be wary of government involvement in their most critical daily operations.
The US Constitutional Fifth Amendment protects against self-incrimination. If an operator agreed to allow the USG to protect its assets, it would need to release detailed information about its operations, which could result in inadvertent self-incrimination if certain confidential information was shared with the FBI, IRS or SEC. Moreover, the USG lacks the expertise and scale to defend the entirety of the country’s critical infrastructure. Each industry is unique and complex, and individual companies are defensive “snowflakes” no two are the same. Whether that is the result of unique technologies, physical assets, geographies, regulations or some combination of these factors, the reality is that defending a company’s assets is a bespoke undertaking. Multiply that by roughly 175,000 operators, and that’s a mountainous task. While the USG has deep technological expertise, it lacks the specific expertise needed to defend natural gas compressors, electric grids and water purification plants in their daily operations.
The reality is that small critical infrastructure operators are largely on their own and it’s up to them to determine how to defend themselves. The government can provide information sharing, investment incentives and other traditional services, but the day-to-day defense of assets rests solely on the operators.
Critical Infrastructure Operators Must Defend Themselves—In The Words Of General Hayden, 'The Cavalry Ain't Coming.' While this may surprise some, it’s important to accept the stark reality that no government entity can or will defend critical energy and water systems. That responsibility falls to the operators themselves. But what if many aren’t equipped to do so? I’ll explore that in my next piece.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.forbes.com/councils/forbestechcouncil/2024/10/14/cyber-defense-of-critical-infrastructure-who-is-responsible/
Comments