Critical infrastructure attacks aren’t all the same: Why it matters to CISOs

Cyberattacks against critical infrastructure are always big news, but recent headlines have once again thrust the threat faced by Western democracies from foreign powers in this domain back onto the agenda of everyday citizens. Most prominently, the director of the US Federal Bureau of Investigation (FBI), Christopher Wray, claimed that  Chinese advanced persistent threat actors (APTs) are preparing to “cripple vital assets and systems” in written testimony to the House Select Committee on the Chinese Communist Party. One day prior, Jen Easterly, the director of the US Cybersecurity and Infrastructure Security Agency (CISA), said that she had “become increasingly concerned about a strategic shift in PRC [People’s Republic of China] malicious cyber activity against US critical infrastructure.”

In addition to the Chinese threat, officials of the US Treasury’s Office of Foreign Assets Control (OFAC) sanctioned six individuals linked to the Iranian government for attacking critical infrastructure in the United States and elsewhere. These include attacks on water utilities in America and industrial control devices in Israel. Experts recently supported a new law in Canada that would force stricter standards of security on critical infrastructure operators. A wave of DDoS attacks perpetrated by the Russia-affiliated hacktivist group NoName057(16) hit Swiss government websites, timed against the visit of Volodymyr Zelensky to the World Economic Forum in Davos. Swiss authorities anticipated critical infrastructure targeting, citing the group’s usual targeting approach.

It doesn’t take an expert to understand the concern about cyberattacks on critical infrastructures, which are of high inherent value to any nation. Disrupting them is one of the few cyber-enabled outcomes likely to cause widespread harm. Critical infrastructures also come with unavoidable vulnerabilities, brought about by their disaggregated nature, common reliance on (often) outdated technology, and lack of security regulation in many countries.

Cyberattacks on critical infrastructure are a dimension of strategic competition in international affairs. Recent Iranian and Chinese activities against Western critical infrastructure shows differences in scale, scope, and timing that suggest divergent motivations. Nevertheless, patterns of critical infrastructure intrusion correspond to the interaction of factors – from statements of geopolitical interest to the co-dependencies of critical infrastructures themselves – that security planners can observe and should consider in building their threat mitigation posture.

The critical infrastructure cyberattack landscape

The operational realities of Chinese and Iranian activities are representative of the universe of cases of cyber assaults on Western critical infrastructure over the past two decades. The cyber operations of Tehran-backed APTs are intended to create spectacle. They target vulnerable systems for broad access (like control devices) or utilities whose disruption would have potent counter-population outcomes (like water treatment plants). Incidents like Stuxnet, the Black Energy attacks on Ukrainian grid infrastructure in 2015 and 2016, or Dragonfly 2.0 infections first found in 2015 are all examples of state actors deploying cyber assets to address singular campaign outcomes. Iran’s efforts may be less sophisticated than these examples, but their timing against the ongoing Hamas-Israel conflict and the relative ease of mitigation suggest a deployment informed by campaign-specific considerations.

On the other hand, China’s infiltration of Western critical infrastructure is a long-term effort that has involved reconnaissance, gradual intrusion, and cross-infrastructure access compromise over years. Reporting on Wray and Easterly’s comments to Congress suggest that ongoing PRC-linked intrusions of concern stretch back at least five years. Recent warnings don’t reflect sudden concern; they are more an assessment of foreign capacity for disruption built on a more holistic compromise of American infrastructures than has previously been seen.

Viewed this way, the more serious of the critical infrastructure threats that American officials describe – the one from Beijing – is counterintuitively tied to the most common of the activities we associate with critical infrastructure attack. Critical infrastructure operators in advanced economies see millions of intrusion attempts each year. These attempts are arguably to build capacity for widespread disruption rather than punctuated assaults on single points of national vulnerability. This complicates security planners’ attempts to predict and mitigate the most severe threats. How can we assign risk to counter critical infrastructure incidents in a world where punctuated disruption is rare and calamitous threats are among the most common?

Critical infrastructure attacks as strategic competition

The answer lies with treating national critical infrastructure threats as a dimension of strategic competition among nation-state actors and their proxies. This doesn’t only mean static alignment of threat profiles with high-level assessments of national interest. It’s easy to see pro-Iranian or pro-Chinese (or pro-American, pro-Israeli, pro-Turkish, etc.) motivations behind cyberattacks that make news headlines. Iran’s attack on Israeli industrial controls development suggests a desire to threaten Tel Aviv’s domestic base during the current conflict. Russia’s digital assault on Viasat during the opening hours of the 2022 invasion of Ukraine is a clear representation of Moscow’s need to create momentary vulnerabilities in Kyiv’s command-and-control apparatus.

These obvious linkages tend to be the stuff of crisis. Cyber operations deployed by state actors and their proxies occur in the context of competition that extends far beyond crisis moments. Strategic competition itself is a mutually constituted environment in which actors clash to secure favorable outcomes in line with their interests. It is mutually constituted because actors are connected to one another via numerous systems – social, political, economic, and (most significant for our purposes) cyber-physical infrastructure. This global environment is institutional in nature, as these political entities need organization to manage connectivity and manage vulnerability.

The result is a global landscape of cyber critical infrastructure attacks defined by the interaction of cybersecurity’s operational realities with the institutional quirks of national security establishments. Iran’s recent attacks and the Russia-backed attack on Viasat represent moments where institutional alignment with core geopolitical objectives neutralize the common argument against the utility of critical infrastructure disruption. Victories earned via cyberspace are almost always temporary and can be patched in relatively short order. Only in situations where momentary gain enables other national objectives or serves as a signal of intent are these kinds of attack common.

By contrast, the kind of threat that Wray and Easterly warned about – a slow-burn build-up of capacity for multi-faceted disruption – emerges when high connectivity and widespread vulnerability are married to opportunities for stealth and a limited organizational capacity for adaptive response. 

Severity as co-dependency

To understand this point, remember the distinction between reality and the common view of attacks against national critical infrastructures as one that emphasizes singular threat outcomes. An attack on electricity grid facilities may cut power to entire municipalities, leading to second-order hazards such as disrupted traffic regulation systems or limited access to medical services. A water treatment facility attack might introduce unsafe levels of lye into a local supply, causing illness or even fatalities at scale.

These possible outcomes speak to the inherent value of critical infrastructure and the appeal for threat actors in using such an attack, where the operational capability to undertake one exists, to signal during crisis. As national security researchers have long noted, the co-dependent nature of modern infrastructures and the possibility for cascading effects define the true strategic value of possible cyberattacks on critical infrastructure for foreign states.

As studies have noted, the distance between a localized crisis from critical infrastructure disruption and a weeks-spanning national emergency is not great, at least in terms of the overlapping dependencies involved. Any attack on electrical infrastructure impacts the operation of healthcare services, transportation, and production. Targeted versions could substantially impact financial services. Attacks on rail or airport facilities could cause domestic trade backlogs or food shortages. Even punctuated attacks on cloud service providers or other information service providers could produce rapid commercial shutdown in one or more economic sectors.

Rivalrous cyber as a cooperatively constituted environment

Enacted in combination, these kinds of attacks could be debilitating for a nation and not just for a short time. Cascading attacks like this are operationally challenging to orchestrate even if the outcomes are relatively simple to model, requiring immense resources and time commitment. Likewise, there is only strategic value in such attacks under limited circumstances. Unless there is a commitment to launch additional conventional attacks, a cascading cyber assault on national critical infrastructure risks escalation during any crisis. Such effects are hardly performative or narrow enough to constitute a degradation of a specific national capability.

The utility of such a capability, then, is found in deterrence. Chinese capacity to inflict widespread, multi-sector disruption via pre-positioned cyber assets functions as a form of missile stoppage, where the ballistic missiles of nuclear competitors are aimed at key targets to dissuade unwanted foreign action. Yet, the act of building this cyber capability – as Wray has suggested is the PRC’s goal – is costly. So, under what conditions can we expect such broad-scoped intrusion activity?

The willingness of competitors to use cyber operations to generate strategic effects is dictated by four institutional factors:  

  1. Connectivity: Competitors are motivated by the degree of connectivity that exists to link them to adversaries. Given the ubiquity of cyber and cyber-physical systems today, this factor is consistently high.
  2. Vulnerability: Competitors are motivated by perceived vulnerability of an adversary.
  3. Organization: Competitors act based on assessments of adversary organization, which is essentially an ability to adapt to a given threat pattern of behavior.
  4. Discretion: Competitors are motivated by the potential for discretion in their attempt to generate strategic effects.

Together, these factors explain the strategic shift toward broad-scoped critical infrastructure intrusion by the PRC. Western critical infrastructures are densely networked apparatuses. They are also, unfortunately, exceptionally vulnerable to outside intrusion owing largely to the fragmentation of security efforts that come from diverse private ownership in the face of (mostly) limited national regulations. This same fragmentation, coupled with democratic expectations of freedom from government oversight, make the task of public sector defense of critical infrastructure incredibly challenging. This dynamic creates immense opportunity for clandestine intrusion at scale for a committed and well-coordinated aggressor.

Cyber apples and oranges: How global stakeholders should react to critical infrastructure threats

These factors also help security teams and strategic planners address the divergent challenges of combating malicious foreign cyber threats to critical infrastructure. The threat posed by recent Iranian activities is of a different nature than that posed by the Chinese government, their agents, and proxies. As I and others have addressed recently, the crisis logic of cyber operations should compel security teams to pay attention to their unique situational vulnerabilities. For critical infrastructure operators, it helps that the episodic value of cyber disruption pertains directly to the criticality of systems, as conventional risk assessments are well-placed to capture such potentiality.

The Chinese cyber capacity to inflict widespread and cascading effects on Western society is a much more difficult challenge to overcome, even if China’s intention is to inhibit the policy options of America and her partners. The likelihood that deterrent capacity is the objective of widespread access suggests an obvious strategic goal for security stakeholders in United States, Europe, and beyond: Limit the appeal of such intrusion activity for foreign adversaries and reduce existing access. The factors described here can act as a guide for accomplishing this.

Effectively restraining foreign adversaries would require limiting connectivity to critical infrastructure, which is only incrementally possible (via air-gapping, etc.). Better awareness of malign intentions, however, should dampen the sophistication of intrusion activity, and institutionalization of critical infrastructure preparedness and mitigation fundamentals should mitigate threat severity. From this perspective, Wray’s push to spread awareness of the PRC threat is wise, as is Canada’s attempt to pass stricter regulation of critical infrastructure operators’ security practices. One limits the discretionary conditions the Chinese need to build this capability; the other builds toward an inter-institutional apparatus that is more inherently adaptive, which should reduce the value of the capability.

Stakeholders in the United States and elsewhere should double-down on efforts that conform to these parameters. From more consistent de-classification of details of critical infrastructure attacks to the publicization of critical infrastructure operator security performance outcomes, public sector stakeholders can limit the conditions under which foreign activity can find strategic value. Private operators should embrace collaborative threat assessment and data-sharing opportunities, particularly where “hands-off” regulatory regimes exist to motivate government engagement under conditions of limited liability.

Perhaps the most significant step that Western societies could take is to encourage greater awareness of the strategic realities of cyber compromise of our critical infrastructures. Just as ideas of deterrence and mutually assured destruction (MAD) were introduce to general populations as a method of encouraging pragmatic discourse, so too does the context of threats to CI need to be communicated to broader populations. Not all CI threats are the same, and those that pose the greatest danger to national interests are also those that community coordination and common understanding stand the most to help resolve.

Advanced Persistent Threats, Critical Infrastructure

Go to Source