A Reckoning Day for Securing America’s Critical Infrastructure

Confronting Vulnerabilities in Agriculture, Energy, Water, Industrial, and Manufacturing Sectors to Safeguard America’s Future by CEO, William Cromarty

Published in Dakota News Now July 24, 2024.

There is an urgent need to overhaul outdated security measures and defend America’s largely unprotected critical infrastructure sectors. Agriculture, energy, water, industrials, and manufacturing are all facing growing vulnerabilities ripe for exploitation. For decades, we prioritized rapid productivity and automation over comprehensive risk management, assuming we could patch things later. This approach now exposes our society’s vital systems to a range of threats, including those from foreign malicious actors, domestic cyberattacks, and some unintended disruptors.

These industries are the backbone of our daily lives. They are essential for ensuring access to food, fresh water, energy, and the manufacturing of critical components that support everything else. Every person within our borders—and some of our international partners—depends on these operations to run smoothly. If these systems fail, it would be disastrous; if they fail en masse, it would be catastrophic. Compromised operations in these sectors could lead to a cascading effect, disrupting society’s functionality at every level.

Currently, available safeguarding solutions are struggling to keep up. These products and services remain fragmented and often inadequate, relying heavily on human oversight and internationally produced technologies, which are frequently the source of the problems themselves. So how do we solve this massive problem? – Take a step back and analyze what’s going on.

How it started:

Our economic decision to prioritize productivity enhancements, which leaned into then-novel cloud computing technologies and internet connectivity, was largely driven by the need to stabilize the post-9/11 economy, recover from the 2008 market crash, and address volatile markets. Risk and security management were important but took a back seat because their full importance wasn’t yet clear.

This economic trend saw companies focusing on automation to tighten operational margins and reduce manual labor costs, leading to splintered, inconsistent, and overconnected solutions. Devices that didn’t need to be connected to large data networks were integrated almost overnight—juicers, refrigerators, trashcans, fitness equipment, and more went online. But, with every new piece of technology, there came a company that developed its own way of connecting, maintaining and securing its device in the newly woven IoT ecosystem. This resulted in a substantial lack of a unified management options or having standardized security practices. With an added widespread belief that connecting everything to the internet was beneficial, security management protocols were all over the place. In hindsight, this exposed many systems to more risk than benefit.

How it’s going:

We are now at a significant disadvantage due to increasing infrastructure attacks. In 2018, the Department of Homeland Security disclosed an organized attack by the Russian government targeting the U.S. utilities grid, including power plants, water facilities, and gas pipelines. Similarly, in 2022, the FBI warned U.S. farmers of ‘timed’ ransomware attacks on the agriculture sector, threatening food security. More recently, the Volt Typhoon infrastructure invasion accessed numerous American companies across sectors such as agriculture, communications, manufacturing, utilities, transportation, construction, maritime, government, IT, and education, collecting espionage data and preparing to disrupt critical communication in case of international conflict.

Domestic sources also pose significant threats. In 2016, an Arizona teenager’s prank caused a DDoS attack on the 911 emergency services line via a tweet that included a link forcing iPhone users to automatically dial local emergency services, tying up the lines. More recently, this past January, a hacker attempted to poison a water treatment plant serving parts of the San Francisco Bay Area by using a former employee’s username and password to delete a critical program, which was fortunately discovered before causing mass damage.

Non-malicious accidents also impact our IoT infrastructure. For example, a developer’s typo on servers that were part of Amazon’s S3 web hosting service took down a large portion of the internet’s top websites globally a few years ago. These are just the disclosed threats; similar occurrences happen daily and often go unreported.

Even More Potential for Harm for Critical Infrastructure:

While we haven’t seen public instances of these types of attacks yet, our infrastructural vulnerabilities could be exploited for market manipulation. Consider how easy it might be to corner a commodities market by banking on an artificially created competitor crop failure due to malicious meddling. It may sound like a plot to the next Jason Bourne movie, but electronically supported heists have already been attempted. For instance, in 2017, hackers gained access to a casino by exploiting IoT connections in luxury fish tanks and vending machines.

These examples underscore the urgent need for a more robust approach to managing the risk and security of our connected critical infrastructure.

A Path Forward:

While security leaders understand the need to protect their operations, many existing solutions remain fragmented and insufficient for optimal risk and security mitigation. We still rely heavily on internationally produced IP and technologies that expose our critical infrastructure to unsecured outside vulnerabilities. Consolidating existing frameworks into more manageable centralized platforms remains a challenge. Moreover, security vendors do not focus enough on predictive and proactive automated maintenance and risk management models, and our monitoring still relies exclusively on the human element.

To truly safeguard America’s critical infrastructure, we need a comprehensive and effective risk and security management system that is homegrown, centralized, sensor-agnostic, scalable, and proactive. Such a system should unapologetically lean into predictive learning models through technologies like machine learning, without downtime. We need a solution that augments existing frameworks and protocols, consolidating them into a single-source platform that symbiotically operates with human support but does not fail when human elements fall short.

At Kirkwall, we are doing just that.

Written by William Cromarty, CEO of Kirkwall, an operational security partner to the agricultural, industrial equipment and manufacturing sectors. Kirkwall monitors critical IoT and equipment components for cybersecurity, environmental and human factors to mitigate risk and protect operations from economic loss due to down time. Published in Dakota News Now July 24, 2024.