PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name, “Perspectives from the Campus”, we invite experts – immersed in the pursuit of educating their students – to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the latest installment of this series, David Dungan, who serves as the executive director at the Center for Security Services and Cyber Defense at Anderson University, begins a four-part blog series that will focus on some of the products and sectors that we rely on, as an essential part of our everyday life, that are being targeted by cybercriminals.

In addition to discussing the potential risks and vulnerabilities, David offers his expert perspective regarding the steps that we can take to stay protected. In part one of this series, David examines our U.S. critical infrastructure and the significance of the work that’s being done to help protect everything from our electric power grids and our food supply to the behind-the-scenes systems and data that helps in keeping everything working properly.  

By David Dungan

The safety and security of our critical infrastructure stretches into every aspect of our daily life.

And, just as the complexity of those systems continues to advance rapidly, thanks to the advancements we’re making in technology, so, too, has the sophistication of the cyberattacks that are occurring, here in the U.S. and abroad. Because of that, companies are beginning to recognize the necessity of making sure that critical patches are made, along with the priority of fixing them to protect against these attacks.

If threat actors attack these vulnerable areas, it can lead to national disruption. Unfortunately, it doesn’t stop there, as a cybercriminal can try to impact food manufacturing, manipulate chemicals used for pesticides, or interrupt our critical communications channels. Any of these scenarios could impact us on a significant level, including our economy.

All told, there are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on our security, national economy and our public health or safety (or any combination involving any of these listed).

Within these sectors, there is a significant portion of our public infrastructure that has been impacted by cyberattacks and cyber incidents, largely because they are considered insecure targets due to limited budgets and less access to the resources needed to protect against more sophisticated attacks. Because of this, these entities are viewed as being more susceptible to a larger financial loss for a variety of reasons.

In 2024, U.S. utilities faced an increase of nearly 70 percent in cyberattacks compared to the same time period in 2023. Tens of thousands of customers were without power due to these attacks. State actors and hacktivists are highly motivated and often target critical infrastructure, especially power grids.

• For instance, on May 7, 2021, the U.S. had to shut down a gas pipeline that supplied 45% of the fuel used on the East Coast due to a cyberattack.
• Threat actors write malicious software and firmware in an effort to try and take control of the power grid breaker systems. They can leverage this ability as ransomware, enabling threat actors to demand millions of dollars in ransom payments.
• One of the key vulnerabilities in critical infrastructure that can occur is when end-of-life of software takes place. End-of-life (EOL) is when an operating system is no longer maintained or supported by the vendor. This means that there are no updates and patches to the system which leaves the critical infrastructure systems exposed. Threat actors will often focus on trying to exploit known vulnerabilities to gain access to a network.

To prepare for these challenges, a recent article in Forbes highlights seven key steps critical infrastructure companies can utilize to help solidify their cyber defenses including:

• Formulating a cybersecurity program based on risk
• Investing in the right technological controls
• Taking account of compliance and regulations
• Training employees on cyber hygiene
• Testing and validating defenses regularly
• Establishing a vendor risk management program
• Consider opting for cyber insurance

Here in Indiana, a key resource for supporting critical infrastructure owners and operators is the Indiana Information Sharing and Analysis Center (IN-ISAC). Developed by the state and its partners, IN-ISAC was created to mitigate cybersecurity risks among state agencies through the sharing of threat information and collaboration on strategies. It provides real-time network monitoring, vulnerability identification, and threat warnings. Nationwide, multiple states operate ISACs, and all 50 states participate in the non-profit Multi-State ISAC.

It is through channels, such as IN-ISAC, critical infrastructure owners and operators are able to gain access to high-level security consulting (at no cost), as well receive assistance with troubleshooting and identifying the resources they need as it regards incident response/preparedness.

NOTE: Be sure to come back and check out Part 2 of our blog series on Friday, June 6th, as David Dungan takes a look at what is known as the “Internet of Things” (IoT) devices. What are we talking about? Basically, anything you can hook up to an Internet connection (and, at last count, there are some wildly broad estimates that we'll have between 30.9 billion and 75 billion of these devices worldwide by the end of this year)!