5 Cyber Attacks that Threaten Critical Infrastructure and How to Protect Against Them

The central role that cybersecurity plays in critical infrastructure is impossible to ignore. The interconnected systems used to deliver essential services, like power, water, and transportation have increased reliability, predictability, and sustainability, but they also require strong cybersecurity defenses.

The increase in cyber attacks on critical infrastructure in recent years underscores the importance of understanding cyber threats and how to protect against them. Read on to learn more about five types of attacks that threaten critical infrastructure assets, services, and systems, and how to defend against each.

1. Ransomware Attacks

Ransomware is a type of malware that “infects” or blocks access to the victim’s data, files, or entire systems unless a ransom is paid. Infrastructure systems are popular targets for this type of attack because hackers know owners and operators are highly motivated to avoid service disruptions.

“The critical nature of…infrastructure…makes it a lucrative target for cybercriminals who see owners as being more likely to pay ransom to avoid disruption.”

Source: “Incentives Are Key to Breaking the Cycle of Cyberattacks on Critical Infrastructure,” Deloitte, March 8, 2022

Ransomware attacks may be motivated by financial gain, but another byproduct is their negative impact on critical system operations. The Colonial Pipeline incident in May 2021, which set off a domino effect of negative impacts across the petroleum and transportation sectors, is a prime example.

How Critical Infrastructure Can Protect Against Ransomware Attacks

Back up your systems frequently, and store backups off the network
Train employees to recognize phishing emails, which are how ransomware attacks are often executed
Keep systems updated, which ensures they have the latest security patches
Implement monitoring and detection services that can identify malicious activity

CISA’s Stop Ransomware website also provides guidance on how to protect and defend against ransomware attacks.

2. Distributed Denial of Service (DDoS) Attacks

A denial of services (DoS) attack disrupts access to a website, server, or network by flooding it with traffic and overloading it so it’s no longer accessible. A DDoS attack is a type of DoS attack that uses traffic from a variety of sources, often via a botnet, to carry out a larger-scale attack.

Given their growing reliance on interconnected systems and IoT devices, critical infrastructure owners and operators are increasingly susceptible to DDoS attacks and must understand how to defend against them. The cyber attack on several U.S. airports in October 2022, which temporarily shut down access to their websites, is an example of a DDoS attack.

How Critical Infrastructure Can Protect Against DDoS Attacks

Monitor for malicious activity using an intrusion detection system (IDS)
Use dedicated edge network defenses to reduce vulnerability to attack
Consider rate limiting to restrict the number of times an action can be performed
Employ overprovisioning to be able to support unanticipated spikes in traffic

The DDoS fact sheet from CISA provides additional information about DDoS attacks and how to protect against them.

3. Phishing and Spear-Phishing Attacks

Phishing is typically conducted by email or text. The message might prompt recipients to solve a problem by clicking on a link, which is actually malware, or providing sensitive data, like their login credentials or a bank account number. Spear phishing is a type of phishing attack that targets a specific individual or organization.

Because the message appears to come from a familiar person or entity, the recipient is often tricked into performing the requested action. Phishing presents a significant threat to all types of organizations, including critical infrastructure, because it is a frequently used and highly effective method of executing other attacks, such as ransomware.

How Critical Infrastructure Can Protect Against Phishing Attacks

Train employees how to identify and avoid phishing scams
Ensure detection signatures and blocklists are up to date
Monitor emails and messages to identify anomalies that could indicate suspicious activity
Implement phishing-resistant multi-factor authentication (MFA)

CISA’s guide to counteracting phishing attacks provides additional guidance on how to protect against phishing.

4. Supply Chain Attacks

A supply chain attack is an indirect attack, where the attacker exploits a software vulnerability in a supplier’s security to gain access to another entity and/or disrupt the entire supply chain. They are particularly damaging because of the potential widespread impact.

“Organizations are uniquely vulnerable to software supply chain attacks for two major reasons: first, many third-party software products require privileged access; and second, many third-party software products require frequent communication between a vendor’s network and the vendor’s software product located on customer networks.”

Source: Defending Against Software Supply Chain Attacks, Cybersecurity and Infrastructure Security Agency, April 2021

The attack against SolarWinds demonstrates the magnitude of a successful supply chain attack. The attackers deployed malware onto software that was subsequently installed by more than 17,000 customers, including several government agencies. As private owners and operators—as well as third-party services like Amazon Web Services—are increasingly involved in critical infrastructure, the entry points for a supply chain attack have grown exponentially.

How Critical Infrastructure Can Protect Against Supply Chain Attacks

Require strong cybersecurity measures internally and from vendors
Implement MFA to minimize the risk of unauthorized access
Use access controls to govern and restrict access to sensitive resources
Train employees on phishing attacks, which hackers often use to gain access

Defending Against Software Supply Chain Attacks is a publication from CISA that provides additional information on understanding and protecting against supply chain attacks.

5. Insider Threats and Attacks

An insider threat is defined as the use of authorized access by a trusted insider to do harm, whether intentionally or innocently. Insider attacks can be particularly difficult to detect because of the various ways they can happen, including by accident.

Insider threats pose a significant risk to critical infrastructure because of the potential impacts of even an honest mistake, not to mention a highly motivated malicious attack. The threat surface can also be quite large given the number of “insiders” who may have authorized access, which includes employees, as well as contractors, suppliers, and others.

How Critical Infrastructure Can Protect Against Insider Attacks

Invest in training to minimize the potential for human error
Employ user activity monitoring to identify threats and maintain accountability
Restrict unnecessary access to sensitive information using access controls
Ensure access is successfully deprovisioned when employees, suppliers, contractors, and others are no longer authorized to access systems

You’ll find additional guidance about protecting against insider threats in CISA’s Insider Threat Mitigation Guide.

How Outdated Systems Increase Critical Infrastructure Cybersecurity Risks

If you’re still maintaining on-premises software or paper-based systems, you could be unknowingly increasing your cybersecurity risks.

Continuing to use paper-based systems may feel like a safe bet. But what if you’re the victim of an insider attack or other theft of information? How will you retrieve critical information if you’re relying predominantly on paper records?

On-premises software is a step up, but it also limits your ability to support recommended cybersecurity measures like MFA and access control. On-premises software is also notoriously difficult to keep updated, which can leave you exposed if security patches haven’t been installed. The risks are even greater for critical infrastructure owners and operators, whose on-premises systems are notoriously old, brittle, and difficult to maintain.

“Cybercriminals target infrastructure organizations because owners are often slow to upgrade software, leaving information vulnerable and more easily accessible to outside sources.”

Source: “How Technology Can Mitigate Cybersecurity Risks to Infrastructure,” Forbes, Sept. 30, 2022.

In fact, most of the recommended measures to decrease cybersecurity risks are difficult if not impossible to implement if you’re using on-premises software, let alone manual systems. On the other hand, these capabilities are often included and easily implemented in cloud-based SaaS software systems.

Strengthen Critical Infrastructure Cybersecurity to Protect Against Cyber Attacks

Maintaining critical infrastructure security requires a thorough understanding of cybersecurity threats. It also requires a strong cybersecurity posture to protect against new and evolving cyber attacks.

The cloud-based SaaS tools available to infrastructure owners and operators today make it possible to connect and modernize all aspects of the design, construct, operate, and maintain phases of the asset lifecycle. And the benefits are impossible to ignore, including: