Home / Cyber / Cyber threats to critical Infrastructure (CII) require Effective Cyber Incident Response plan at National level

Cyber threats to critical Infrastructure (CII) require Effective Cyber Incident Response plan at National level

Networked technologies touch every corner of the globe and every facet of human life. They have driven innovation, nurtured freedoms, and spurred economic prosperity. Even so, the very technologies that enable these benefits offer new opportunities for malicious and unwanted cyber activities.


Cyber-attacks are continuously growing in size and breadth, targeting organizations of all sizes across sectors, and telecom sector is no exception. According to PwC’s Global State of Information Security, 2016, IT security incidents in the telecoms sector increased 45% in 2015 compared to the year before. The rising danger posed by cyberattacks on critical national infrastructure was evident again in May 2021, when a small group of hackers launched a ransomware attack on Colonial Pipeline, the United States’ largest pipeline network for delivery of refined petroleum products. Colonial shut down its main lines for five days, disrupting nearly half the fuel supply for the eastern part of the country. Worried drivers drained supplies in gas stations in the Southeast, airlines rerouted flights to airports with available fuel, traders were rocked by unexpected price volatility, and logistics companies scrambled to locate new sources of fuels. The implications are huge, A small group of hackers may have temporarily, and inadvertently, cut off energy flows to an important economic center, triggering real-world impact.


Earlier Cyberattacks on Critical infrastructure were thought to be carried by State agencies such as the Stuxnet attack on Iran’s nuclear facility.  The targeted assets usually relied on analog operational technology and were relatively isolated from the internet. Gaining and maintaining access to such assets requires specialized tools, similar operational technology, reconnaissance capabilities, and even physical access to the site itself.  Specialists assumed that only states possessed the diverse skills and resources required to develop such threats.


In recent years, however, business demands for remote visibility into industrial operations led to the convergence of IT and OT systems. The digital transformations that enabled sought-after business advantages, including remote access and predictive maintenance, created new vulnerabilities to cyberattacks. Now, less sophisticated attackers could prey on infrastructure assets.


The risks associated with the Nation’s dependence on these networked technologies led to the development of Presidential Policy Directive 41 (PPD-41): United States Cyber Incident Coordination, which sets forth principles governing the Federal Government’s response to any cyber incident, whether involving government or private sector entities.


Presidential Policy Directive (PPD)-41: U.S. Cyber Incident Coordination and the associated Annex,3 set forth principles governing the Federal Government’s response to any cyber incident, provide an architecture for coordinating the response to significant cyber incidents, and required Department of Homeland Security (DHS) to develop a National Cyber Incident Response Plan (NCIRP or Plan) to address cybersecurity risks to critical infrastructure.


The NCIRP provides guidance to enable a coordinated whole-of-Nation approach to response activities and coordination with stakeholders during a significant cyber incident impacting critical infrastructure. The NCIRP sets common doctrine and a strategic framework for national, sector, and individual organization cyber operational plans. The NCIRP is also designed to integrate and interface with industry standards and best practices for cybersecurity risk management, as developed by the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity.


The NCIRP Plan focuses on building the mechanisms needed to respond to a significant cyber incident. That is a cyber incident that is (or group of related cyber incidents that together are) likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.


The NCIRP is based on several guiding principles outlined in PPD-41 for the response to any cyber incident, whether involving government or private sector entities. One of these principles is Risk-Based Response. The Federal Government will determine its response actions and the resources it brings to bear based on an assessment of the risks posed to an entity, our national security, foreign relations, the broader economy, public confidence, privacy and civil liberties, or the public health and safety of the American people. Critical infrastructure entities also conduct risk-based response calculations during cyber incidents to ensure the most effective and efficient utilization of resources and capabilities.


In responding to any cyber incident and recognizing the shared responsibility for cybersecurity, the Federal Government organizes its’
response activities based upon four concurrent lines of effort: threat response, asset response, intelligence support, and the affected entity’s internal response activities.


Threat Response

Threat response activities encompass many resources and capabilities from across the law enforcement and defense community. Threat response activities during a cyber incident include investigative, forensic, analytical, and mitigation activities; interdiction of a threat actor; and providing attribution that may lead to information sharing and operational synchronization with asset response activities.


Asset Response

Asset response activities include furnishing technical assistance to affected entities, mitigating vulnerabilities, identifying additional at-risk entities, and assessing their risk to the same or similar vulnerabilities. These activities could also include communicating with the affected entity to understand the nature of the cyber incident; providing guidance to the affected entity on available federal, SLTT, and private sector resources and capabilities; promptly disseminating new intelligence and information through the appropriate channels; and facilitating information sharing and operational coordination with other Federal Government, SLTT government, and private sector entities. Critical asset response activities also include assessing potential risks to a sector or region, including potential cascading and interdependency effects, developing courses of action to mitigate these risks, and providing guidance on how best to utilize federal, SLTT, and private sector resources and capabilities in a timely, effective manner.


Intelligence Support

Intelligence and related supporting activities play an important role to better understand the cyber incident and existing targeted diplomatic, economic, or military capabilities to respond and share threat and mitigation information with other potential affected entities or responders. Especially during a significant cyber incident, asset and threat responders should leverage intelligence support activities as necessary to build situational threat awareness; share related threat indicators and analysis of threats; identify and acknowledge gaps; and ultimately create a comprehensive picture of the incident.


Core Capabilities

Core capabilities are the distinct critical elements needed to conduct the threat response, asset response, and intelligence support activities in response to a cyber incident. Core capabilities are the activities that generally must be accomplished in cyber incident response, regardless of which levels of government are involved. Core capability application may be achieved with any combination of properly planned, organized,
and trained personnel and deployed through various approaches such as the NIST Cybersecurity Framework or cybersecurity activities developed by the private sector. The National Preparedness Goal organizes the core capabilities into mission areas.


When a cyber incident affects a private entity, the Federal Government will typically not play a direct role in the affected entities’ response activities but will remain cognizant of their activities and coordinate appropriately with the affected entity.  The private sector, especially the owners and operators of critical infrastructure, plays a key role in responding to cyber incidents. Small, medium, and large private sector entities are often the first and primary responders to cyber incidents. Private companies are responsible for the security of their own systems, and they are normally the first to identify an incident and are often in the best place to respond to it.

U.S. Defence Agency Launches Joint Cyber Defence Collaborative

The Cybersecurity and Infrastructure Security Agency (CISA) announced in August 2021, the formation of the Joint Cyber Defence Collaborative (JCDC). The JCDC leads the development of the Nation’s cyber defence plans by working across the public and private sectors to help defend against cyber threats to U.S. critical infrastructure.

Through this new collaboration, CISA will promote national resilience by coordinating actions across federal agencies; state, local, tribal and territorial (SLTT) partners; and private sector entities to identify, protect against, detect, plan for and respond to malicious cyber activity targeting U.S. critical infrastructure. The JCDC’s mission for unifying cyber defence will complement existing efforts by law enforcement and the intelligence community.

According to the JCDC fact sheet, the new organisation will:

  • Identify unique public and private sector planning requirements and capabilities.
  • Implement effective coordination mechanisms.
  • Establish shared risk priorities.
  • Develop coordinated cyber defence plans.
  • Support joint exercises and assessments to measure the effectiveness of cyber defence operations.

CISA Director said that the JCDC presents an exciting and important opportunity for this agency and partners – the creation of a unique planning capability to be proactive versus reactive in the collective approach to dealing with the most serious cyber threats to the nation. Officials from federal partner agencies will work within the JCDC office to spearhead U.S. cyber defence plans while outlining best practices to thwart cyber intrusions and reduce their impact, according to a CISA webpage about the new collaboration.

A major goal for the JCDC is to coordinate public- and private-sector strategies to counter cyberattacks, especially ransomware while establishing incident response frameworks. The Department of Defence, the FBI, the National Security Agency and the U.S. Cyber Command are among the government partners.

These are the key JCDC capabilities:

  • Comprehensive, whole-of-nation planning to address risk both during steady-state operations and during an incident.
  • Common situational awareness and analysis to equip public and private partners to take risk-informed coordinated action.
  • Integrated cyber defence capabilities to protect the nation’s critical infrastructure.
  • Flexibility in planning and collaboration to meet the cyber defence needs of the public and private sectors.
  • Institutionalised exercises and assessments to continuously measure the effectiveness of cyber defence planning and capabilities.
  • Work closely with the Sector Risk Management Agencies (SRMAs) to bring their unique subject matter expertise to tailored plans to address sector risk.

JCDC will create an inclusive, collaborative environment to develop proactive cyber defence strategies and help both sectors implement coordinated operations to prevent and respond to cyberattacks. Continued collaboration between industry and government is critical to thwarting today’s sophisticated attacks. CISA’s initiative to bring the most relevant stakeholders together to defend national security is admirable.

As critical infrastructures are susceptible to cyberattacks, US researchers have created a cybersecurity technology designed to lure hackers into an artificial world to protect these infrastructures. As reported by OpenGov Asia, the cyber tech is based on honeypots, which attract hackers by providing what appears to be an easy target so cybersecurity researchers can study the attackers’ methods.


While most honeypots are used to lure attackers and study their methods, this cyber tech instead uses artificial intelligence to deploy elaborate deception to keep attackers engaged in a pretend world that mirrors the real world. The decoy interacts with users in real-time, responding in realistic ways to commands.


The development of this technology is an example of how U.S. scientists are focused on protecting the nation’s critical assets and infrastructure. This cybersecurity tool has far-reaching applications in government and private sectors—from city municipalities to utilities, to banking institutions, manufacturing, and even health providers.


References and Resources also include:


About Rajesh Uppal

Check Also

Battling the Dark Corners of the Web: How Google’s Altitude Empowers Small Platforms to Fight Terrorism

The internet, a vast and vibrant tapestry of information, unfortunately also harbors dark corners teeming …

error: Content is protected !!