At Black Hat USA 2023, Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Victor Zhora, Deputy Chairman and Chief Digital Transformation Officer of the State Service of Special Communication and Information Protection of Ukraine, gave a joint presentation on the need for resilience.
Key to their discussion was not just strong cyber defenses, but building out resilience to continue to operate critical systems in the face of disruption. Ukraine has withstood attacks better than many expected at the start of the war — much of that is their resilience of spirit, feelings of unity and the Ukrainians’ unwillingness to give up. But another part of that is their cyber resilience. While the scale of this war has shocked the world, this was not the first time Ukraine has been under attack, and they have learned how to build resilient systems because of earlier attacks when the stakes were lower.
The best cyber defenses will only go so far against a motivated attacker. And as Ukraine has shown, cyberattacks are not the only way to take down critical infrastructure. But focusing just on cyber for a moment, attacks like the ransomware attack on Colonial Pipeline, which was relatively minor in sophistication, was able to have a major impact on the U.S. Ukraine, having seen far worse attacks over the last eight years, has built out critical systems to allow for fast restoration and/or manual work arounds where necessary.
Easterly points out that the U.S. needs to do a better job of building out resiliency, anticipating that disruptions will occur and planning (and practicing) for how to respond.
Engineers of critical infrastructure such as power and other utilities should be thinking along the same lines. Security leaders need to move away from trying to maintain fragile, aging infrastructure and instead create a new model for building this infrastructure under the assumption that cyber attacks will happen. Forcing the engineers of these systems to think through how they would bring an electrical grid back up if they were locked out of automated control systems will go much farther if they know that it is not simply a theoretical event. And it’s not — there are already reports of China prepositioning itself in parts of the U.S. electrical grid. This is a very real example of a clear and present danger.
Easterly is not the first to warn of this need for stronger resilience, and while the U.S. does get a little bit better each time something happens, she is very correct that it's not where it needs to be yet. Thankfully the U.S. has not been hit with full scale attacks the way Ukraine has, but it should not wait until one happens to figure out how to respond in the face of such a disruption.
In cybersecurity, a common mindset is to “assume breach,” building out security systems with an assumption that an attacker has already made their way into them. Security leaders need to do a better job of this for critical physical systems as well, especially as they become increasingly interconnected with IT systems. It’s time to make sure cyber-physical systems are built with that knowledge in mind.