Our water, health, and energy systems are increasingly vulnerable to cyberattack.
Now, when tensions escalate â like when the US bombed nuclear facilities in Iran this month â the safety of these systems becomes of paramount concern. If conflict erupts, we can expect it to be a âhybridâ battle, Joshua Corman, executive in residence for public safety & resilience at the Institute for Security and Technology (IST), tells The Verge.
âWith great connectivity comes great responsibility.â
Battlefields now extend into the digital world, which in turn makes critical infrastructure in the real world a target. I first reached out to IST for their expertise on this issue back in 2021, when a ransomware attack forced the Colonial Pipeline â a major artery transporting nearly half of the east coastâs fuel supply â offline for nearly a week. Since then, The Verge has also covered an uptick in cyberattacks against community water systems in the US, and Americaâs attempts to thwart assaults supported by other governments.
Itâs not time to panic, Corman reassures me. But it is important to reevaluate how we safeguard hospitals, water supplies, and other lifelines from cyberattack. There happen to be analog solutions that rely more on physical engineering than putting up cyber firewalls.
This interview has been edited for length and clarity.
As someone who works on cybersecurity for water and wastewater, healthcare, food supply chains, and power systems â what keeps you up at night?
Oh, boy. When you look across what we designate as lifeline critical functions, the basic human needs â water, shelter, safety â those are among some of our most exposed and underprepared. With great connectivity comes great responsibility. And while weâre struggling to protect credit card cards or websites or data, we continue to add software and connectivity to lifeline infrastructure like water and power and hospitals.
We were always prey. We were just kind of surviving at the appetite of our predators, and theyâre getting more aggressive.
How vulnerable are these systems in the US?
You might have seen the uptick in ransomware starting in 2016. Hospitals very quickly became the number one preferred target of ransomware because theyâre what I call âtarget rich, but cyber poor.â The unavailability of their service is pretty dire, so the unavailability can be monetized very easily.
You have this kind of asymmetry and unmitigated feeding-frenzy, where itâs attractive and easy to attack these lifeline functions. But itâs incredibly difficult to get staff, resources, training, budget, to defend these lifeline functions.
If youâre a small, rural water facility, you donât have any cybersecurity budget. We often usher platitudes of âjust do best practices, just do the NIST framework.â But they canât even stop using end of life, unsupported technology with hard-coded passwords.
âYou have this kind of asymmetry and unmitigated feeding-frenzyâ
Itâs about 85 percent of the owners and operators of these lifeline critical infrastructure entities that are target rich and cyber poor.
Take water systems, for example. Volt Typhoon has been found successfully compromising US water facilities and other lifeline service functions, and itâs sitting there in wait, prepositioning. [Editorâs note: Volt Typhoon is a Peopleâs Republic of China state-sponsored cyber group]
China specifically has intentions toward Taiwan as early as 2027. They basically would like the US to stay out of their intentions toward Taiwan. And if we donât, theyâre willing to disrupt and destroy parts of these very exposed, very prone facilities. The overwhelming majority donât have a single cybersecurity person, havenât heard of Volt Typhoon, let alone know if and how they should defend themselves. Nor do they have the budget to do so.
Turning to recent news and the escalation with Iran, is there anything that is more vulnerable at this moment? Are there any unique risks that Iran poses to the US?
Whether itâs Russia or Iran or China, all of them have shown they are willing and able to reach out to water facilities, power grids, hospitals, etc. I am most concerned about water. No water means no hospital in about four hours. Any loss of pressure to the hospitalâs pressure zone means no fire suppression, no surgical scrubbing, no sanitation, no hydration.
What we have is increasing exposure that we volunteered into with smart, connected infrastructure. We want the benefit, but we havenât paid the price tag yet. And that was okay when this was mostly criminal activity. But now that these points of access can be used in weapons of war, you could see pretty severe disruption in civilian infrastructure.
Now, just because you can hit it doesnât mean you will hit it, right? Iâm not encouraging panic at the moment over Iran. I think theyâre quite busy, and if theyâre going to use those cyber capabilities, itâs a safer assumption they would first use them on Israel.
Different predators have different appetites, and prey, and motives.
Sometimes itâs called access brokering, where theyâre looking for a compromise and they lay in wait for years. Like in critical infrastructure, people donât upgrade their equipment, they use very old things. If you believe that youâll have that access for a long time, you can sit on it and wait patiently until the time and the place of your choosing.
Think of this a little bit like Star Wars. The thermal exhaust port on the Death Star is the weak part. If you hit it, you do a lot of damage. We have a lot of thermal exhaust ports all over water and healthcare specifically.
What needs to be done now to mitigate these vulnerabilities?
Weâre encouraging something called cyber-informed engineering.
What weâve found is if a water facility is compromised, abrupt changes in water pressure can lead to a very forceful and damaging surge of water pressure that could burst pipes. If you were to burst the water main for a hospital, there would be no water pressure to the hospital. So if you wanted to say, âletâs make sure the Chinese military canât compromise the water facility,â youâd have to do quite a bit of cybersecurity or disconnect it.
What weâre encouraging instead, is something much more familiar, practical. Just like in your house, you have a circuit breaker, so if thereâs too much voltage you flip a switch instead of burning the house down. We have the equivalent of circuit breakers for water, which are maybe $2,000, maybe under $10,000. They can detect a surge in pressure and shut off the pumps to prevent physical damage. Weâre looking for analog, physical engineering mitigation.
âThink of this a little bit like Star Wars.â
If you want to reduce the likelihood of compromise, you add cybersecurity. But if you want to reduce the consequences of compromise, you add engineering.
If the worst consequences would be a physically damaging attack, we want to take practical steps that are affordable and familiar. Water plants donât know cyber, but they do know engineering. And if we can meet them on their turf and help explain to them the consequences and then co-create affordable, realistic, temporary mitigations, we can survive long enough to invest properly in cybersecurity later.
Federal agencies under the Trump administration have faced budget and staffing cuts, does that lead to greater vulnerabilities as well? How does that affect the security of our critical infrastructure?
Independent of peopleâs individual politics, there was an executive order from the White House in March that shifts more of the balance of power and responsibility to states to protect themselves, for cybersecurity resilience. And itâs very unfortunate timing given the context weâre in and that it would take time to do this safely and effectively.
I think, without malice, there has been a confluence of other contributing factors making the situation worse. Some of the budget cuts in CISA, which is the national coordinator across these sectors, is not great. The Multi-State Information Sharing and Analysis Center is a key resource for helping the states serve themselves, and that too lost its funding. And as of yet, the Senate has not confirmed a CISA director.
We should be increasing our public private partnerships, our federal and state level partnerships and there seems to be bipartisan agreement on that. And yet, across the board, the EPA, Health and Human Services, Department of Energy and CISA have suffered significant reduction in budget and staff and leadership. Thereâs still time to correct that, but we are burning daylight on what I see as a very small amount of time to form the plan, to communicate the plan, and execute the plan.
Whether we want this or not, more responsibility for cyber resilience and defense and critical functions is falling to the states, to the counties, to the towns, to individuals. Now is the time to get educated and there is a constellation of nonprofit and civil society efforts â one of them is the good work weâre doing with this Undisruptable27.org, but we also participate in a larger group called Cyber Civil Defense. And we recently launched a group called the Cyber Resilience Corps, which is a platform for anyone who wants to volunteer to help with cybersecurity for small, medium, rural, or lifeline services. Itâs also a place for people to find and request these volunteers. Weâre trying to reduce the friction of asking for help and finding help.
I think this is one of those moments in history where we want and need more from governments, but cavalry isnât coming. Itâs going to fall to us.
Read the full article here
