Mounir Hahad is head of Juniper Threat Labs, the organization at Juniper Networks identifying and tracking malicious threats in the wild and ensuring Juniper products implement effective detection techniques. David Mihelcic is federal chief technology and strategy officer for Juniper Networks, supporting the company’s federal sales, engineering and operations teams. Prior to joining Juniper, David spent 18 years with the Defense Information Systems Agency.
What would you say are some of the biggest threats to our nation’s critical infrastructure?
Mihelcic: The fact that many critical infrastructure security systems rely on legacy systems is certainly one of the biggest threats. In many cases, systems that were never designed to be networked have now been connected to the internet for monitoring and control. These systems were not designed with cybersecurity in mind and can have gaping holes exposed to anyone on the internet. Combine this with the fact that many systems do not have support to patch identified vulnerabilities and we have a recipe for disaster.
Hahad: I would agree. There are two types of systems that connect our critical infrastructure to the digital world: Internet Protocol systems that connect monitoring and control systems to the rest of the IT network, and the industrial systems that connect the sensors and actuators to the Operational Technology (OT) networks. When either of these is a legacy system that lacks cybersecurity resilience, it creates a potential attack surface for a threat actor. If we’re using systems that are outdated, with known unpatched vulnerabilities, untrained staff in cybersecurity, or subpar network security products, our critical infrastructure will be that much more at risk of compromise.
Threats to our nation’s critical infrastructure could take many forms – what do you think are the most worrisome?
Hahad: The most worrisome forms of cyberattacks are the ones that end up impacting our physical world, or could lead to loss of human life: for instance, destroying components of an electrical grid to the point of causing blackouts for hospitals or disrupting heating in cold climate areas.
Mihelcic: Certainly, anything that affects public safety is worrisome. This includes everything from air traffic control to food safety management.
What approach do we need to take to manage and reduce these threats effectively?
Mihelcic: We have to understand the installed base of public safety systems, map them, explore their attack surfaces, mitigate the most critical vulnerabilities discovered and ensure organizations and individuals responsible for ongoing cybersecurity are identified and held accountable.
Hahad: The first steps towards mitigating cyberattacks is to employ basic networking hygiene rules: Patch systems as quickly as possible, segment networks, apply least privilege access rights, back up systems regularly and invest in threat detection, in addition to prevention.
Are there particular critical infrastructure sectors that you think are most at risk?
Mihelcic: I am most concerned about older systems – such as power, water and manufacturing – that were developed and installed before cybersecurity was a major concern. We should move quickly to understand the older systems, identify vulnerabilities, triage them and establish an ongoing effort to secure them.
Hahad: Yes, absolutely. Cyber threat actors who go after critical infrastructure typically tend to map out opportunities based on their security posture and potential impact. They will target whichever infrastructure seems the least prepared for an attack, and which will give them strong leverage due to the potential impact of the attack. Fortunately, attacks on infrastructure are akin to an act of war, so unless attribution can be avoided, no nation state threat actor will attempt a real attack on the US. But all will probe, explore, map out and test our capability to defend our infrastructure.
Is there anything the general public can contribute to keep our nation’s critical infrastructure safe?
Hahad: Unfortunately, not really – there are so many points of vulnerability that it’s essentially impossible to prevent. For instance, you can train operators not to click on malicious links, but if their kids do at home and these employees put their phones or laptops on the same home network, it’s a moot point as attacks will move laterally and end up in the power plant.
Mihelcic: I would argue the problem lies less with the general public and more with service providers and elected officials. The public can help by demanding attention from these groups. If we can focus public attention on this issue, we will see resources applied to it and progress will be made. If the public ignores it, the problems will continue to fester.
Are there certain regulations or compliances that should be put in place to ensure critical infrastructure meets a base set of guidelines to keep it secure?
Hahad: Regulations do exist, but they face limitations – there may not be enough willpower to enforce them, budgets to fund them or accountability to give them teeth. One way to solve this would be to institute a federal agency in charge of cybersecurity testing and make sure each critical infrastructure facility is tested on a regular basis and identified gaps are closed within a short period of time. There should be heavy fines for companies that do not close their gaps, and CEOs and boards should be held personally liable for the lack of action.
Mihelcic: Absolutely. A great first step would be to mandate the use of what is already in place, monitor the progress being made and use this as a launch pad to improve continuously. The National Institute of Standards and Technology (NIST) has developed a framework for improving the cybersecurity of critical infrastructure – this is a good start. Another critical regulation step is to establish accountability. As Mounir said, CEOs and boards must also be held accountable for cybersecurity, especially of critical infrastructure.