Ch 7.docx

Full Transcript

Chapter Seven: Cybersecurity
Guest chapter by Christopher Copeland, Ph.D., Associate Professor of Criminal Justice, Tarleton State University
Vocabulary
Air Gap
Continuance of Operations Plans
Critical Infrastructure
Cyber Espionage
Cybersecurity
Cybersecurity and Infrastructure Security Agency
Defense-in-Depth
DHS Critical Infrastructure Sectors
Digital Infrastructure
Distributed Denial of Service
Framework
Intelligence Operations
Intrusion Detection System
Ransomware
Supply Chain Attacks
Thousand Talent Plan
Introduction
In an increasingly interconnected and digitized world, the intersection of homeland security and cybersecurity has become a critical focal point in safeguarding nations against evolving threats. As western societies rely more on digital infrastructure for everything from communication and commerce to critical infrastructure operations, the boundaries between physical and virtual security have blurred and intertwined. The protection of our homeland now necessitates a comprehensive approach that addresses not only traditional security concerns but also the complex and dynamic realm of cyberspace.
For the purposes of this chapter, the definition of cybersecurity used will be the one developed by the National Institute of Standard and Technology (NIST) and their Computer Security Resource Center. That definition is “the prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation”. A second definition is “the process of protecting information by preventing, detecting, and responding to attacks” (“NIST CRSC Definitions: Cybersecurity,” n.d.).
Defining Critical Infrastructure and Cybersecurity
Most major systems in use today are run by a computerized process. This process can either be alongside a human counterpart, or entirely automated. These computer systems go well beyond personal use computers and incorporate everyday technology including mass transit systems, air traffic control, and an organization’s payroll services just to name a few. Many of these systems are instrumental to the concepts of critical infrastructure by the United States Department of Homeland Security (DHS).
Critical infrastructure and cybersecurity were loosely defined in 2000 by the National Plan for Information Systems Protection (White House, 2000). In 2009 the U.S. Department of Homeland security updated and refined a general partnership plan and approach to critical infrastructure protection (National Infrastructure Protection Plan, 2009). Then in 2013, Presidential Executive Order 13636 (EO-13636) and Presidential Policy Directive 21 (PPD-21) were signed further clarifying and bringing specific policies for protecting critical infrastructure with a more robust cybersecurity foundation (Exec. Order No. 13636, 2013). PPD-21 defined critical infrastructure as including “distributed networks, varied organizational structures and operating models (including multinational ownership), interdependent functions and systems in both the physical space and cyberspace, and governance constructs that involve multi-level authorities, responsibilities, and regulations” (White House, 2013). Each of the sixteen sectors requires vast computer complexity to operate. These interdependent functions cross industry and include a myriad of sectors as defined by the Department of Homeland Security. These can be seen in detail at https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors.
Infrastructure
When discussing infrastructure, the most common aspects are usually road, bridges, and railroads in the United States. While these are aspects of infrastructure, the broadened definition now includes things like air traffic, pharmaceutical production, electricity generation and delivery, and water systems just to name a few. The sixteen DHS critical infrastructure sectors are fundamental to the continuance of society in the United States. Yet each one relies heavily on computing, networks, servers, and software to operate and with efficiency. This is where the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has purview. CISA functions as a federal liaison to the DHS and industry holders to help facilitate faster lines of communication and cooperation to improve cybersecurity of critical infrastructure (CI). But why? How are the DHS sectors interconnected?
As an example of the interconnected nature of CI sectors, each of the sixteen sectors requires power for processing, manufacturing, and communication. Without a sturdy power grid, transportation of goods and services becomes incapacitated, manufacturing slows or stops, food cannot be processed or distributed. Emergency services will be negatively impacted as well as police, fire, and EMT are all slowed or have issues communicating or refueling vehicles to respond. Electricity is a fundamental aspect of modern society and while small outages can be overcome, larger scale outages that last for days and weeks can lead to severe problems for the citizens of an affected area.
These computing systems also control other critical infrastructure. Computerized systems control water in most of the United States. Cities use a system of pumps and regulators to control water pressure as well as treatment of wastewater and prevent sewage contamination. Those same water systems also provide fire departments with the resources to battle fires and buildings to have fire suppression systems. Another example is that all modern aircraft use onboard connectivity and computer systems that control navigation, transponder, and air-to-ground communications. While the planes may be somewhat protected by an air gap, the air traffic control systems, airport tower control, and flight dispatch are all heavily computerized. Without ground control services, air traffic is in critical danger. This is true for commercial and military aircraft alike. Finally, almost all commercial and military naval vessels require the use of similar computer systems for not only ship control, but GPS and weather data for navigation purposes. Without this critical information, ships at sea have the potential for loss of cargo, national security interests, and the lives of those aboard.
Communication
Phone and internet-based communications are all digital as analog phone lines have mostly been replaced by fiber optic cables. This transition began in the late 1990s and was mostly completed in the United States by the mid-2000s. No longer based on analog tone signals, these digital networks now relied on the same server and line architecture as computing incorporating into the main internet backbone lines at the same time. Given this transition and reliance on the same architectures to operate on a network, these communications are susceptible to attack directly and indirectly.
A direct attack on communications in the United States can be form of cyber or physical attack against servers run by the largest telecom providers. These providers would include companies like AT&T, Verizon, and Comcast to name a few. These telecom providers are often the only provider in certain areas, escalating the potential severity for communications outages. While continuance of operations plans would be initiated, down time and interruption of service could affect broadband communications, cellular communications, or both.
Indirectly, digital communications require electricity to operate. In severe weather one of the first systems to fail, even if temporarily, is localized power distribution. As a secondary impact to an attack on a local or regional power grid, communications would be hampered. This has happened numerous times during severe weather events including hurricanes, blizzards, severe thunderstorms, and tornados. As an example, Verizon had to restore a cell tower which was destroyed by a tornado in Springdale, AR in 2022. On March 30, 2022, a tornado with wind speeds from 136-165 mph touched down in Springdale AR causing severe damage (Bowden & Joenks, 2022). Verizon engineers had to deploy a temporary tower to help restore communications to the Springdale and Fayetteville areas (Trobaugh, 2022).
Finally, another often overlooked resource that is related to cybersecurity of these systems are the specialists and analysts that operate and monitor the security. Although not a traditional attack vector, if the people who know how their network or systems operate are unable to respond to an incident, or worse rebuild, then the critical nature of these systems can be exploited. While computerized intrusion detection systems can respond quickly, it still takes human beings, people with the security knowledge and the understanding of their specific working environment, to make sense and react appropriately.
Complications like staffing issues, illnesses like the H1N1/H3N2 influenza, or even worker strikes can also affect the security of the communication systems in the United States as easily as a distributed attack. In 2019, over 20,000 AT&T workers went on strike after labor negotiations devolved. The Communication Workers of American (CWA) was able to organize the strike in “Alabama, Florida, Georgia, Kentucky, Louisiana, Mississippi, North Carolina, and South Carolina. Employees involved in the protest include technicians, customer service representatives and others who install equipment and provide support (Jeong, 2019, para. 5). This labor strike was eventually negotiated to a conclusion, but it highlights that without personnel, there can be a negative impact to service for many of the communication providers in the United States.
Infectious diseases affect critical infrastructure workers along with the general population. This is even more true for states with higher concentrations of the population like New York, Florida, and Texas as these states typically have larger infrastructure and more intersection of various DHS Critical Infrastructure Sectors. In the first week of 2023, 21 states reported high to very high cases of Influenza (see Figure 1) (“Weekly US Map: Influenza Summary Update,” 2023). The CDC also reported that during the 2022-2023 flu season there were between 26-50 million cases and between 290,000-670,000 hospitalizations (CDC, 2023).
Figure 1:2022-23 Influenza Season Week 1 Ending Jan 07, 2023

Source: https://gis.cdc.gov/grasp/fluview/main.html
National Defense
All modern military bases use power, water, and communications. All six of the branches of the United States military as well as those of the various national guards in each state, have operating facilities to meet the goals of the military. These facilities can range from air bases, naval shipyards, training facilities, maintenance, and even intelligence operations. These locations require the housing of personnel, water services, communications, and of course electrical power.
As an example, the Norfolk Naval Shipyard (NNYS) in Portsmouth VA includes a vast number of services for the U.S. military. With 1,275 acres, the “NNSY'S primary mission is to provide logistic support for assigned ships and service craft; perform authorized work in connection with construction, conversion, overhaul, repair, alteration, dry docking, and outfitting of ships and craft, as assigned; perform manufacturing, research, development [sic] and test work as assigned; and provide services and material to other activities and units, as directed by competent authority. Our staff includes approximately 8500 military and civilian personnel (“Norfolk: Welcome Aboard!,” 2023).
This is not the largest military base operated by the United States Armed Forces. It does illustrate how one facility can require vastly different resources to run efficiently and meet the mission needs of the U.S. military. Without power, coordinated and reliable communications, proper water facilities, and fuel operations just to name a few, the U.S. Navy would be negatively impacted in repair and modernization of vessels in the fleet. While the needs of the NNYS are complex to operate, it does require critical infrastructure and operations to maintain fleet readiness.
[U.S.S. Laboon (right), an Arleigh Burke-class guided missile destroyer moored at NNSY: https://www.shutterstock.com/image-photo/norfolk-usa-june-9-2019-several-1845749014]
There have been instances in the past which highlighted these concerns. In 2019, the U.S. Army decided to cut power to the largest military base in the world, Fort Bragg located in North Carolina in “an exercise to gauge the installation’s response in such a crisis, post officials said”. It would appear that things did not go as planned though as Army Times reported the outage lasted 12 hours a “while the emergency room at Womack Army Medical Center stayed open, as did the Soldier Support Center, little else functioned on post” (Myers, 2019, para. 5). After testing other facilities, researchers from the Energy Academic Group at the Naval Postgraduate School noted that “army installations are not immune to energy and water grid vulnerabilities. This year [2020], installations reported over 1,100 utility outage events comprising 22,082 hours, an increase of nearly 5 percent from hours reported in fiscal year 2018. Over 90 percent of the offline hours occurred during outages lasting eight hours or more. Equipment failure and acts of nature account for the majority of outages” (Beehler, 2020, para. 10).
[Fort Bragg Image at Shutterstock: https://www.shutterstock.com/image-photo/fort-bragg-north-carolina-usa-june-1756822967]
Threats and Risks
There are numerous types of cyber threats to homeland security. Different types of cyber-attacks on specific systems can impact law enforcement, emergency services, and even national defense. The means that the nature and scope of cyber threats to homeland security are wide and can affect everything from small rural communities to large military installations.
Types of Threats and Examples:
Cyber Espionage: Nation-states and other actors are engaged in cyber espionage to gain access to sensitive information and intellectual property. This information can be used to gain a competitive advantage, disrupt operations, or support military and intelligence activities. This can be anything from national secrets to construction materials. In 2020, Chair of Harvard University’s Chemistry and Chemical Biology Department Dr. Charles Lieber and two Chinese nationals, Yanqing Ye and Zaosong Zheng, were charged in connection with aiding the People’s Republic of China. The three were part of an ongoing recruitment plan known as China’s Thousand Talent Plan, an effort to gain access or the direct high level scientific talent. According to the FBI “these talent programs seek to lure Chinese overseas talent and foreign experts to bring their knowledge and experience to China and reward individuals for stealing proprietary information” (“Harvard University Professor and Two Chinese Nationals Charged in Three Separate China Related Cases,” 2020). Yanqing Ye was later revealed to be a Lieutenant of the Peoples Liberation Army, and Zaosong Zheng was found attempting to smuggle 21 vials of biological research samples out of the United States to China (“Harvard University Professor and Two Chinese Nationals Charged in Three Separate China Related Cases,” 2020). Dr. Lieber was convicted of two counts of making false statements to federal investigators, two counts of making and subscribing a false income tax return, and two counts of failing to file reports of foreign bank and financial accounts (FBAR) with the Internal Revenue Service (IRS) (“Former Harvard University Professor Sentenced for Lying About His Affiliation with Wuhan University of Technology; China’s Thousand Talents Program; and Filing False Tax Returns,” 2023).
Supply Chain Attacks: Supply chain attacks are attacks on third-party vendors that provide services or software to government agencies or critical infrastructure operators. These attacks can be used to compromise the systems of the target organization or to steal sensitive data. Fu Qiang is currently wanted by the Federal Bureau of Investigation for “Racketeering Conspiracy; Conspiracy; Identity Theft; Aggravated Identity Theft; Access Device Fraud; Obtaining Information by Unauthorized Access to Protected Computers; Intentionally Causing Damage to Protected Computers; Threatening to Damage a Protected Computer; and Money Laundering. These charges stem from their alleged unauthorized computer intrusions while employed by Chengdu 404 Network Technology Company. The defendants allegedly conducted supply chain attacks to gain unauthorized access to networks throughout the world, targeting hundreds of companies representing a broad array of industries to include: social media, telecommunications, government, defense, education, and manufacturing” (“FBI Cyber Most Wanted: FU QIANG,” 2020).
Ransomware: Ransomware attacks are a growing threat to homeland security, with attackers encrypting data and demanding payment in exchange for the decryption key. These attacks can disrupt operations, compromise sensitive data, and cause significant financial losses. In June of 2023, Ruslan Magomedovich Astamirov was arrested regarding an ongoing criminal case of the LockBit ransomware. According to the US Attorney’s office in the District of New Jersey, “from at least as early as August 2020 to March 2023, Astamirov allegedly participated in a conspiracy with other members of the LockBit ransomware campaign to commit wire fraud and to intentionally damage protected computers and make ransom demands through the use and deployment of ransomware. Specifically, Astamirov directly executed at least five attacks against victim computer systems in the United States and abroad” (“Russian National Arrested and Charged with Conspiring to Commit LockBit Ransomware Attacks Against U.S. and Foreign Businesses,” 2023).
Distributed Denial of Service (DDoS) Attacks: DDoS attacks overwhelm a system or network with traffic, causing it to become inaccessible. Because of the way and methods that network traffic work, responses to and from a device on the network are handled in order. Flooding a request to respond can cause a machine or device to get “backlogged”. Critical infrastructure services, such as power grids and communication networks, can be disrupted by DDoS attacks.
In October 2022, pro-Russian hacking group “Killnet” attacked several airports inside the United States through a DDoS attack targeting the airports’ websites. The group coordinated the attack on the secure messaging app Telegram with a “The group's call to action included airports across the country, including Alabama, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, and Missouri. The cyberattacks claimed by Killnet impacted the websites for Los Angeles International, Chicago O'Hare, and Hartsfield-Jackson International in Atlanta, among others” (Romo, 2022, paras. 2–4).
Additionally, in June of 2023, the CISA issued a general warning to all U.S. organizations regarding ongoing DDoS attacks. “CISA is aware of open-source reporting of targeted denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks against multiple organizations in multiple sectors. These attacks can cost an organization time and money and may impose reputational costs while resources and services are inaccessible. If you think you or your business is experiencing a DoS or DDoS attack, it is important to contact the appropriate technical professionals for assistance” (CISA, 2023).
Figure 2: CISA DDoS Alert, June 30, 2023

Source: https://twitter.com/CISACyber/status/1674794129052815370
Figure 3: A diagram of a DDoS Aattack Performed with a Botnet

Source: (Najafimehr, Zarifzadeh, & Mostafavi, 2022)
Frameworks and Strategies

Overview of the frameworks and strategies used in homeland security and cyber security.

To counter these types of threats requires an approach that is multifaceted. Because these threats are constantly evolving and adapting to changing technologies, any mitigation techniques need to be flexible and adaptive also. While technologies and attacks may change over time, the manner to apply best practices remains one of the greatest strengths in defending critical infrastructure. The application of best practices in cybersecurity and critical infrastructure are realized using frameworks, which provide an approach and methodology that can be tailored to any organization or group. Frameworks used in cybersecurity include:

National Institute of Standards and Technology (NIST) Cybersecurity Framework Version 1.1. This framework provides a set of guidelines for organizations to manage and reduce cyber security risks. Mandated by the Cybersecurity Enhancement Act of 2014 (Cybersecurity Enhancement Act, 2014), it consists of five core functions: Identify, Protect, Detect, Respond, and Recover, and provides a comprehensive approach to cyber security management (NIST, 2018). The current version will be replaced by version 2.0 updating best practices and methodologies for cybersecurity and will include a govern function (NIST, 2023).

Figure 4: NIST Cybersecurity Framework V1.1

Source: National Institute of Standards and Technology, https://www.nist.gov/cyberframework

NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations. This special publication is designed to help organizations identify and manage risks through a 7-step process or prepare, categorize, select, implement, assess, authorize, and monitor (NIST, 2022). NIST 800-53 is the global default for security controls and is part of the larger NIST Risk Management Framework (RMF). Additionally, the framework also adheres to the defense-in-depth strategy. Defense-in-depth is “an information security strategy that integrates people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization” (NIST, 2022, p. 1999).

Figure 5: NIST Risk Management Framework

Source: National Institute of Standards and Technology: https://csrc.nist.gov/Projects/risk-management

Department of Homeland Security (DHS/FEMA) National Response Framework: This framework provides a guide for how the nation responds to all types of disasters, including cyber-attacks. It outlines key roles and responsibilities of government agencies, private sector organizations, and individuals in responding to cyber incidents. The plan is adopted by all federal agencies and incorporates the previously developed National Incident Management System (NIMS) to local communities as shown in Figure 6. The framework provides 15 Emergency Support Functions, plans for coordinating Federal response in an incident or declared disaster situation (National Response Framework, Fourth Edition, 2019).

Figure 6: The Application of Community Lifelines to Support Emergency Management

Source: (National Response Framework, Fourth Edition, 2019, p. 10)

ISO 27001: This is a globally recognized international standard (International Standards Organization) that provides a framework for information security management systems. The framework dictates process and procedures as well as a systematic approach for risk management and incident response for automated systems, personnel, and data storage. “Conformity with ISO/IEC 27001 means that an organization or business has put in place a system to manage risks related to the security of data owned or handled by the company, and that this system respects all the best practices and principles enshrined in this International Standard” (“ISO/IEC 27001:2022,” 2022).
Cyber Kill Chain: Developed by Lockheed Martin, this is a 7-step model that describes the different stages of a cyber-attack, from reconnaissance to exfiltration. It is used to identify and prevent attacks by focusing on disrupting the attack process at different stages to assist in “prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective” and “enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques and procedures” (“Cyber Kill Chain,” 2015, paras. 1–2; Gaining the Advantage, Applying Cyber Kill Chain Methodology to Network Defense, 2015).

Figure 7: Cyber Kill Chain, Lockheed Martin

Source: Lockheed Martin Corporation, https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

PCI-DSS: The Payment Card Industry, made of up the largest credit card companies, developed a security standard beginning in 2004 and rolled out across various continents with incremental changes along the way. The purpose was to reduce the risk associated with data breaches in commercial businesses. Up to then, there was no real standard for protecting consumer’s credit card information in online banking or shopping. Visa, Mastercard, American Express, Discover, and the Japan Credit Bureau (JCB) came together to enact standards and best practices for storing and access of credit card information. Companies were given a grace period to ensure they met the standard otherwise the credit card processors would stop processing credit cards. Since 2008 with version 1.2 and continuing to version 4.0 today, PCI-DSS has been implemented in every country in which these credit card companies operate (“PCI-DSS v.4,” 2022). Many of these standards are similar to best practices found in the NIST and ISO frameworks and tailored to credit card companies and e-commerce specifically.

Examination of these frameworks shows that identification and planning are critical to effectively addressing any issues or vulnerabilities an organization may possess. Many organizations will adhere to more than one of these frameworks, especially in the commercial sector where trust in how the organization operates and addresses security concerns will impact business and revenue. These frameworks and strategies should be used in combination to provide a comprehensive approach to addressing the overlap of homeland security and cyber security and can be adapted to the specific needs and requirements of different organizations and sectors.
Case Studies
The following are cases and examples that demonstrate the overlap of homeland security and cybersecurity operating on critical infrastructure, including examples of successful and unsuccessful responses.
On May 16, 2023, the U.S. Department of Justice indicted a Russian national and U.S. resident, Mikhail Pavlovich Matveev, “aka Wazawaka, aka m1x, aka Boriselcin, aka Uhodiransomwar”, for “conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers” (“Russian National Arrested and Charged with Conspiring to Commit LockBit Ransomware Attacks Against U.S. and Foreign Businesses,” 2023, para. 13). The indictment claimed that Matveev participated in a coordinated attempt to deploy ransomware to the Washington D.C. Metropolitan Police Department in April of 2021.
Lockbit was the most widely encountered ransomware in 2022 and is heavily found in 2023 as well. According to CISA documentation, in the United States, “in 2022, 16% of the State, Local, Tribal, and Tribunal (SLTT) government ransomware incidents reported to the MS-ISAC were identified as LockBit attacks. This included ransomware incidents impacting municipal governments, county governments, public higher education and K-12 schools, and emergency services (e.g., law enforcement)” (“Joint Cybersecurity Advisory: Understanding Ransomware Threat Actors: LockBit,” 2023, p. 5). Many of these targets control local and regional emergency services, schools, and special utility districts.
[Read more about LockBit at: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a]
In another example of an attempt to attack critical infrastructure, Sarah Beth Clendaniel, 34, of Catonsville, and Brandon Clint Russell, 27, of Orlando, FL, were charged in the U.S. District Court in MD and FL respectively. According to the indictment, “Russell conspired to carry out attacks against critical infrastructure, specifically electrical substations, in furtherance of Russell’s racially or ethnically motivated violent extremist beliefs” (“Maryland Woman and Florida Man Charged Federally for Conspiring to Destroy Energy Facilities,” 2023, para. 8). Using encrypted chat applications, Russell sent links of open-source maps of critical infrastructure including electrical substations as well as discussing planned attacks on multiple targets in a coordinate effort. Clendaniel collaborated in the plan to carry out the coordinated attack using a rifle to disrupt several stations simultaneously (“Maryland Woman and Florida Man Charged Federally for Conspiring to Destroy Energy Facilities,” 2023, para. 9).
A state-sponsored Chinese threat actor, Volt Typhoon, is active globally with the mission of espionage, vulnerability assessment, and information gathering. The Microsoft Corporation’s Microsoft Threat Intelligence (MTI) team noticed various techniques used across multiple networks. In 2023, MTI released a public statement regarding how Volt Typhoon was utilizing built in tools and techniques to attain their goals. According to Microsoft,

“Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States. In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible. Microsoft is choosing to highlight this Volt Typhoon activity at this time because of our significant concern around the potential for further impact to our customers” (Microsoft, 2023, para. 2).

The threat and vulnerability discussed by Microsoft was substantial. Later the same day, CISA published an official cybersecurity advisory which was mirrored by the United States FBI, U.S. National Security Agency (NSA) , Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NCSC-UK). In the advisory, the United States CISA directly names Volt Typhoon and the dangers to critical infrastructure; “Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide”. After discussing the attack vector, the advisory provides multiple mitigations to reduce the risk of intrusion by Volt Typhoon. (“Cybersecurity Advisory: People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection,” 2023).
What are the lessons learned from these three cases? One of the takeaways from these cases is that threats to critical infrastructure can come directly from a cyber attack like those which use ransomware. Cyber attacks can also be sophisticated and complex approaches like Volt Typhoon uses to gain access and gleam information about critical systems and targets. Attacks can be state-sponsored or small groups looking for payment or financial gain and as the case in Maryland and Florida, can use internet-based communications to facilitate low tech approaches. These cases showcase why frameworks and flexible approaches are also necessary to protect against a myriad of options attackers have when targeting critical infrastructure.
These cases also show how threat detection and defense have improved. Detection of various ransomware is now days after finding it in the wild on the Internet. Vulnerability detection is also significantly faster as well as patching vulnerabilities, which previously took weeks or months, now takes days or even hours. Dissemination of information, showcased by the Microsoft Threat Intelligence team happens much more quickly now and within hours, most of the western world was aware of the techniques used by Volt Typhoon and how to mitigate them. The number of cybersecurity professionals is greater now than ever before and this is evident in the speed at which the industry and the U.S. government can respond to cyber threats, including those that target critical infrastructure.
Conclusion
This chapter gave an overview of the overlap of cybersecurity and critical infrastructure and the general concepts of homeland security. As noted previously, the majority of critical infrastructure in the United States is privately owned. The importance of ongoing collaboration between homeland security and cyber security professionals is paramount to maintaining the operations and systems necessary to run many of the critical infrastructure sectors. Each sector relies on some aspect of cybersecurity and the partnership with DHS and CISA and the companies that own and operate them is more critical than ever as technology improves, processing power increases, and speed of internet-communications improves. These systems are more interconnected than in previous years and both cyber and traditional threats are multifaceted and diverse. The constant refinement of frameworks, public-private partnerships, and speed of threat detection are the path forward to increased resiliency in the critical infrastructure in the United States.

References:
Beehler, A. (2020). Army Installations Test Energy Resilience. Retrieved October 29, 2023, from https://nps.edu/web/eag/army-installations-test-energy-resilienceBowden, B., & Joenks, L. (2022). Tornado demolishes Springdale elementary school gym; high winds rip roofs, siding from buildings in east Arkansas. Retrieved October 29, 2023, from https://www.arkansasonline.com/news/2022/mar/31/tornado-demolishes-springdale-elementary-school/CDC. (2023). 2022-2023 U.S. Flu Season: Preliminary In-Season Burden Estimates. Retrieved October 29, 2023, from https://www.cdc.gov/flu/about/burden/preliminary-in-season-estimates.htmCISA. (2023). DoS and DDoS Attacks against Multiple Sectors. Retrieved October 21, 2023, from https://www.cisa.gov/news-events/alerts/2023/06/30/dos-and-ddos-attacks-against-multiple-sectorsCyber Kill Chain. (2015). Retrieved October 21, 2023, from https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.htmlCybersecurity Advisory: People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. (2023). Retrieved October 1, 2023, from https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144aCybersecurity Enhancement Act, Pub. L. No. S.1353 (2014). United States. Retrieved from https://www.congress.gov/bill/113th-congress/senate-bill/1353/textExec. Order No. 13636. (2013). Federal Register (Vol. 78).FBI Cyber Most Wanted: FU QIANG. (2020). Retrieved September 20, 2023, from https://www.fbi.gov/wanted/cyber/fu-qiangFormer Harvard University Professor Sentenced for Lying About His Affiliation with Wuhan University of Technology; China’s Thousand Talents Program; and Filing False Tax Returns. (2023). Retrieved September 19, 2023, from https://www.justice.gov/usao-ma/pr/former-harvard-university-professor-sentenced-lying-about-his-affiliation-wuhanGaining the Advantage, Applying Cyber Kill Chain Methodology to Network Defense. (2015). Retrieved from https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.htmlHarvard University Professor and Two Chinese Nationals Charged in Three Separate China Related Cases. (2020). Retrieved September 18, 2023, from https://www.justice.gov/opa/pr/harvard-university-professor-and-two-chinese-nationals-charged-three-separate-china-relatedISO/IEC 27001:2022. (2022). Retrieved October 21, 2023, from https://www.iso.org/standard/27001Jeong, Y. (2019). AT&T workers on strike over “unfair labor practices” across 9 states, including Tennessee. Retrieved from https://www.tennessean.com/story/news/2019/08/24/at-t-workers-strike-9-states-over-unfair-labor-practices/2107725001/Joint Cybersecurity Advisory: Understanding Ransomware Threat Actors: LockBit. (2023). CISA. Retrieved from https://www.cisa.gov/sites/default/files/2023-06/aa23-165a_understanding_TA_LockBit_0.pdfMaryland Woman and Florida Man Charged Federally for Conspiring to Destroy Energy Facilities. (2023). Retrieved October 20, 2023, from https://www.justice.gov/opa/pr/maryland-woman-and-florida-man-charged-federally-conspiring-destroy-energy-facilitiesMicrosoft. (2023). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved October 1, 2023, from https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/Myers, M. (2019). Here’s the story behind that massive Fort Bragg power outage. Retrieved October 29, 2023, from https://www.armytimes.com/news/your-army/2019/04/25/heres-the-story-behind-that-massive-fort-bragg-power-outage/Najafimehr, M., Zarifzadeh, S., & Mostafavi, S. (2022). A hybrid machine learning approach for detecting unprecedented DDoS attacks. The Journal of Supercomputing, 78(6), 8106–8136. https://doi.org/10.1007/s11227-021-04253-xNational Infrastructure Protection Plan. (2009). Retrieved from https://www.dhs.gov/sites/default/files/publications/NIPP_Plan.pdfNational Response Framework, Fourth Edition. (2019). Retrieved from https://www.fema.gov/emergency-managers/national-preparedness/frameworks/responseNIST. (2018). Cybersecurity Framework V1.1. Retrieved October 1, 2023, from https://www.nist.gov/cyberframework/frameworkNIST. (2022). NIST SP 800-53A Rev. 5, Assessing Security and Privacy Controls in Information Systems and Organizations. Retrieved October 21, 2023, from https://csrc.nist.gov/pubs/sp/800/53/a/r5/finalNIST. (2023). The NIST Cybersecurity Framework 2.0. Retrieved October 20, 2023, from https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-20/ipdNIST CRSC Definitions: Cybersecurity. (n.d.).Norfolk: Welcome Aboard! (2023). Retrieved October 29, 2023, from https://www.navsea.navy.mil/Home/Shipyards/Norfolk/Welcome.aspxPCI-DSS v.4. (2022). PCI Security Standards Council. Retrieved from https://www.pcisecuritystandards.org/document_library/Romo, V. (2022). Pro-Russian hackers claim responsibility for knocking U.S. airport websites offline. Retrieved October 22, 2023, from https://www.npr.org/2022/10/10/1127902795/airport-killnet-cyberattack-hacker-russiaRussian National Arrested and Charged with Conspiring to Commit LockBit Ransomware Attacks Against U.S. and Foreign Businesses. (2023). Retrieved September 24, 2023, from https://www.justice.gov/opa/pr/russian-national-arrested-and-charged-conspiring-commit-lockbit-ransomware-attacks-against-usTrobaugh, J. (2022). Verizon working to rebuild cell tower hit by tornado. Retrieved October 20, 2022, from https://www.nwahomepage.com/news/verizon-working-to-rebuild-cell-tower-hit-by-tornado/Weekly US Map: Influenza Summary Update. (2023). Retrieved October 29, 2023, from https://www.cdc.gov/flu/weekly/usmap.htmWhite House. (2000). National Plan for Information Systems Protection.White House. (2013). Presidential Policy Directive 21: Critical Infrastructure Security and Resilience (PPD-21). Retrieved September 15, 2023, from https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil