Does cloud computing threaten our critical infrastructure?
Around the globe, advanced technology is now essential to the development and operation of critical infrastructure such as energy, transportation, healthcare, and defense systems. Increasingly, these projects leverage the advantages of cloud computing: easy remote access, agile DevOps, and cost-effective scale out. At the same time, serious data breaches and attacks continue to make headlines. How can the operators of critical infrastructure, including the federal government, deal with the risks associated with cloud computing?
Clouds on the rise
Cloud computing is widely accepted today as a way to control infrastructure costs and accelerate development. Early on, however, the potential security risks of shared infrastructure made cloud a no-go for highly-sensitive environments and most government applications. Nearly ten years ago, the U.S. federal government launched the first Cloud Computing Initiative to explore the possibility of using cloud in government operations. Ultimately, the effort became the basis for the federal standards designed ensure the security and continuous monitoring of cloud products and services, better known as FedRAMP (Federal Risk and Authorization Management Program). It may come as a surprise to some that many government agencies are now either evaluating or implementing cloud computing in their operations, including the Departments of Defense, Energy, Health and Human Services, and NASA, to name a few .
The challenge of cyber security in the cloud
Cloud computing has made many new services possible and less expensive than they would be if organizations still had to buy and maintain all their own infrastructure. The only downside is that cloud computing is not always as secure as we want it to be.
Cloud environments are susceptible to the same type of threats as traditional data center environments—vulnerabilities in underlying hardware, operating systems, and software that hackers attempt to exploit, in addition to the inadvertent or intentional acts of insiders. Widely publicized breaches have been traced to unchanged default passwords on cloud resources, mismanagement of access control lists, and weak application programming interfaces.
Clouds also differ in ways that make protecting data and applications more difficult. One difference is that the scale and speed of attacks in the cloud can be potentially much larger; it is not uncommon for attacks to overwhelm and disable the systems in place for security and protection. Second, the rate of change in today’s digital environments is much faster, with viruses and exploits able to morph in days, before fixes are even applied. Third, greater dependency on external software and code libraries means cloud users can be unfamiliar with significant portions of their digital footprint. Fourth, it can be difficult to detect certain types of attacks, meaning culprits can lurk for long periods of time, gaining knowledge to improve their techniques.
Attacks on critical Infrastructure
Technologies like sensors, control systems, and smart devices have made it easier and less expensive for us to operate critical infrastructure with greater consistency. With or without cloud computing, these digital systems present hackers with an opportunity for disruption. The use of cloud merely adds additional attack vectors—ways in which a potential hacker can access the infrastructure or system.
Cyber security specialists report that attempted attacks on critical U.S. infrastructure by nation states and unidentified hackers are daily occurrences and ongoing. The world witnessed the first successful cyberattack on a nation’s electricity grid in 2016 and 2017 in Ukraine, which resulted in black outs during cold winter months. Analysis of the attacks appear to show that infiltration into the electrical grid was sustained over a long period of time . Prior to that, the Iranian nuclear program was attacked and severely reduced in 2010. At least one security expert believes the only reason U.S. electricity has not been disrupted is because of the risk of unknown consequences and retaliation, similar to the détente achieved during the Cold War .
Defending against advanced threats requires a multi-layer approach
Security and monitoring must be continually practiced and improved just to keep even with the hackers. There is no doubt we need to develop real-time visibility inside large, heterogenous industrial systems to identify the early signs of intrusion and strengthen our defenses. Protection from prolonged attacks will also require a multi-layer approach involving employee security awareness training, network segmentation, threat intelligence, strong passwords, multifactor authentication for remote access, and continual monitoring of both OT (operational technology) and IT (informational technology) environments.
One encouraging example comes from the U.S. Department of Energy (DOE), which is working to foster development of secure, resilient, and self-defending energy systems through the Office of Cybersecurity for Energy Delivery Systems (CEDS). In March 2018, the DOE announced they would award millions of dollars for research, development, and demonstration of next-generation cybersecurity technologies to enable energy systems to detect adversarial actions and adapt to survive. To date, grants have been awarded to universities, open source developers, and commercial software vendors . More programs like these will be needed as advanced technology continues to drive the evolution and operation of critical infrastructure worldwide.
 FedRAMP Marketplace online, accessedOct. 15, 2018.
 Cybersecurity Matters: U.S. DOE seeks innovative cybersecurity technologies, Security Boulevard, October 11, 2018.
 Andrea Carcano, founder of Nozomi Networks: Russian Cyber Attacks on Critical Infrastructure: The “New Normal,”July 24, 2018, Nozumi Networks blog.
 U.S. Department of Energy: From Innovation to Practice: Re-designing energy delivery systems to survive cyber attacks, July 2018, available online.