Why ransomware is such a threat to critical infrastructure

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360

A recent spike in large-scale ransomware attacks has highlighted the vulnerabilities in the nation’s critical infrastructure and the ease with which their systems can be breached.

ransomware critical infrastructure

Little more than a decade ago, what was considered critical infrastructure was largely limited to air traffic control and generation and transmission of energy, and security regulations have been tightly focused on these areas. Today, however, there’s a growing acknowledgment that infrastructure encompasses much more, from stormwater systems to garbage processors, telecom providers, hospitals, financial services, pipelines, and more.

Cyberattacks and ransomware pose a greater risk to critical infrastructure than a non-digital external threat like a nation-state does, and the size and scale of the infrastructure has little to do with the scope of the risk; ransomware is just as much as threat to a water treatment plant in downtown Smallville, USA, as it is to a large-scale energy grid or gasoline pipeline.

Ransomware relies on phishing scams or holes in security it can exploit, including both digital and human vulnerabilities. The attacker then holds the data hostage until a ransom is paid.

As cyberthreats increase in sophistication, we can expect the threat presented by ransomware to evolve, and the actions taken to protect the nation’s critical infrastructure must evolve as well.

While there’s no centralized national agency overseeing all critical infrastructure in the U.S., we have a great model of what the energy industry did with the critical infrastructure protection (CIP) standards that guide utilities. We can apply that model to a broader definition of what constitutes critical infrastructure.

Many of the precautions mandated by CIP, like isolating critical systems from the internet and replacing single-factor, password-based authentication with multi-factor credentials including digital certificates based on public key infrastructure (PKI), could make other types of infrastructure just as secure and resilient as CIP-protected systems are.

It will take regulatory action, though. Municipalities and other critical infrastructure organizations are unlikely to take significant…