Great ResignationClimate ChangeLeadershipInflationUkraine Invasion

As the red line disappears, business leaders must step up to protect U.S. infrastructure from cyberattacks

May 5, 2022, 10:13 AM UTC
A power plant in Orlando
Experts have warned for years that Russian nation-state cyberattackers are lurking in critical infrastructure networks in the U.S.
Paul Hennessy - SOPA Images - LightRocket - Getty Images

Escalating geopolitical conflicts are likely to involve cyberattacks on critical infrastructure with the end goal of disruption, if not outright economic warfare.

In the U.S., where much of our critical infrastructure is privately owned, business leaders have a crucial role to play in protecting national security.

In recent weeks, we’ve seen new research on the Industroyer2 malware used to target a Ukrainian energy provider, as well as a new advisory from the Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and the FBI on threat actors’ ability to gain full system access to multiple industrial control system devices.

And yet we’re seeing a bit of the boiling frog phenomenon. We have ample evidence and knowledge of the dangers, but we don’t see nearly enough action. Cyber warfare on critical infrastructure has been happening for a while—and we’ve been allowing it to continue.

From attacks on the Ukrainian power grid in 2015, to oil shortages in the U.S. last year, and downed telecom services for users in the European Union and Ukraine at the outset of the ongoing war, the disruptions we’ve already experienced should be reason enough to accelerate risk mitigation.

When will it be enough? Where is the red line?

A tale of two trends

Two dramatic developments have been building for some time, and greatly accelerated since 2020: the exposure of legacy infrastructure and the weaponization of cyberattacks.

Our critical infrastructure relies on a lot of legacy equipment that doesn’t have up-to-date security controls. Many industrial networks have been operational for 35 years or more.

The acceleration of digital transformation and new emerging technologies are increasing businesses’ digital footprints and producing better business outcomes. However, as connectivity from aging industrial networks to IT networks, up to the cloud, and to other connected devices has taken off, it is also creating new forms of cyber risk.

For years, we have known that attacks on critical infrastructure are not only possible but can also be used as a weapon, whether for financial gain or nation-state disruption.

Now these attacks are becoming increasingly crafty. Threat actors have shifted their ransomware tactics from locking up personal data to locking up a factory or a pipeline. A flurry of supply-chain attacks impacting millions of downstream users has demonstrated both the advanced capabilities of our adversaries and our own cyber insecurities.

The U.S. federal government recognizes these two trends (and the potential for escalation in the Ukrainian conflict) and has launched a number of initiatives and legislation focused on better securing critical infrastructure. For example, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 requires critical infrastructure owners and operators to report cyber incidents within 72 hours and any ransomware payments related to ransomware attacks within 24 hours.

Enough is enough

While reporting is important, the federal government has no direct way to ensure the proactive protection of critical infrastructure, as most of our infrastructure is controlled by private entities. That’s why CISA has been issuing many advisories and alerts with concrete steps owners of critical infrastructure need to take.

There is much work to be done. The time has come for critical infrastructure owners to build resilience into their operations. Given the economic pressure the U.S. and other Western countries have exerted on Russia, it’s wise to be prepared for potential retaliation.

The expected path for Russia will be to try to inflict economic damage with a tool it masters: cyberattacks. We’ve known for years that Russian nation-state cyberattackers are lurking in critical infrastructure networks in the U.S., and it’s easy to envision how whole sectors of the economy could be affected. Since attribution is hard and not always possible, those attacks could remain just below the threshold of open conflict, causing the clear red line that once existed to disappear. 

Washington is very aware of the shifting strategies, tactics, and implications of escalating cyber warfare, hence the heightened focus and new laws—but the onus is on private owners to protect the private critical infrastructure of the nation.

While the U.S. federal government and cyber experts understand this, the huge gap we have in our cyber defenses of the systems that are critical to our lives and livelihoods leads me to believe the danger is not widely understood by business leaders. It’s time to jump out of the boiling water and better secure these systems.

Galina Antova is the cofounder of Claroty and a former global head of industrial security services at Siemens.

The opinions expressed in Fortune.com commentary pieces are solely the views of their authors and do not reflect the opinions and beliefs of Fortune.

More must-read commentary published by Fortune:

Sign up for the Fortune Features email list so you don’t miss our biggest features, exclusive interviews, and investigations.