COMMENTARY
Recent headlines around Volt Typhoon, a state-sponsored Chinese threat actor targeting US critical infrastructure, have caused alarm over attacker dwell time and put critical infrastructure security in the spotlight. The group targets network infrastructure devices to gain access to critical infrastructure organizations and then uses living-off-the-land techniques to lurk on victims’ environments to position themselves for future attacks. Volt Typhoon has been known to target the communications, energy, water, and transportation sectors.
There’s no question that critical infrastructure threats such as what we’re seeing from Volt Typhoon are concerning and need to be taken seriously. Attacks on critical industries have the potential to cause widescale damage and disruption and can even put people’s lives at risk — compromised water sources, gas lines, utilities and healthcare devices, for example, could have a life-threatening impact. Given the high stakes, critical infrastructure organizations need to strengthen security to keep people safe and the global economy working.
However, as someone who works on the front lines of critical infrastructure security, I believe that, rather than panicking about Volt Typhoon and the threats the group represents, we should focus on several positives:
-
Malware activity targeting critical infrastructure is custom and challenging. It takes many hands to build an effective package. We know this because we are unfortunately finding complex builds. The positive here, however, is that we are now looking for malware activity.
-
Many of the 16 CISA-defined critical infrastructure industries have matured their security defenses and are in a better position to defend against advanced threats than they were a few years ago. There is a long path to “secure,” but we have better prevention and detection than we did in 2020.
-
It’s not uncommon for malware to sit dormant for years until the time is right to strike. Knowing this, security operations center (SOC) teams have focused on threat detection, advancing their method for absorbing critical infrastructure, industry control system (ICS), and operational technology (OT) alerts, which has lowered malware dwell time and improved security overall.
Focus Areas for Critical Infrastructure Sectors
One of the biggest takeaways of the Volt Typhoon activity is that it’s crucial for critical infrastructure organizations to conduct risk assessments frequently to see how threats against their company are changing and then use that intelligence to adapt their cybersecurity and cyber resilience strategies accordingly.
If you don’t know a threat is there, you can’t defend against it. And not all organizations are targeted with the same threats. Additionally, your biggest threat today may not be the greatest source of risk tomorrow. For all these reasons, frequently identifying and quantifying the unique risks to your organization is the first step to staying secure and cyber resilient.
Once the risk assessment is complete, you can then develop or refine your security plan accordingly. Because threats and business needs change all the time, this should be a living strategy. That said, there are a few security fundamentals that should always be prioritized, including:
-
Network segmentation: Divides the network into separate zones for different types of users and services. This approach helps contain attacks and limits the lateral movement of threats within the network.
-
Intrusion detection systems (IDS): Monitors network traffic for suspicious activity. This is important because traditional endpoint security tools aren’t able to be installed on all network infrastructure devices.
-
Identity security: The optimal combination is secure remote access with privileged access management (PAM). The former allows users to safely connect to networks and prevents unauthorized access. The latter secures privileged user accounts that have high-level access to individual controllers in a critical site, so cyber attackers can’t exploit them to move across the victim’s environment.
From Past to Present
Five years ago, critical infrastructure security had very limited awareness, and headlines on activity from threat actors like Volt Typhoon would be alarming. We’ve come a long way since then, though — not only in recognizing risks to these sectors but also establishing cybersecurity benchmarks for keeping critical infrastructure organizations secure.
So, while it’s true that attacks on critical infrastructure are ramping up, it’s also true that organizations now have the knowledge and tools needed to defend against them. Organizations no longer need to be caught off guard. With risk assessments, security fundamentals, and advanced security strategies that target unique threats to the business, critical infrastructure organizations can build strong security programs that are able to withstand any type of attack and keep the organization cyber resilient.