Vital Service Providers Need a Plan to Work Through Internet Outages, CISA Warns
In recent discussions, officials from the Cybersecurity and Infrastructure Security Agency (CISA) underscored the pressing need for critical infrastructure entities in the United States, such as water, power, and financial systems, to devise contingency plans to operate in the event of a cyberattack that disrupts internet connectivity. This warning comes in light of escalating threats from foreign adversaries like Russia and China, who CISA officials believe could exploit vulnerabilities to disrupt essential services amid a military confrontation.
During a security conference in Washington, D.C., Nick Andersen, the acting director of CISA, articulated the gravity of the situation, emphasizing that American society is currently engaged in a silent war—a war that remains unrecognized yet carries serious implications for the nation’s critical infrastructure. Andersen warned attendees that the United States is not adequately prepared for the potential fallout of such attacks, predicting severe disruptions to civilian infrastructure in the event of a military conflict.
The implications of Andersen’s remarks reveal a stark reality: adversaries are actively attempting to penetrate the systems of firms that provide essential services. Given this situation, CISA has redirected its focus towards ensuring that vital service providers can maintain essential operations even without reliable internet access or the technologies dependent on it. The agency aims to bolster resilience within these critical sectors.
Andersen highlighted the psychological toll that attacks could take on the American public, stating that the effectiveness of healthcare, public safety, and power supply systems could be undermined. The disruptions would likely lead to a crisis of confidence among citizens regarding their reliance on these fundamental services. "There will be a significant psychological impact on the safety of the American populace," he remarked, underscoring how citizens expect that, with a flick of a switch, their lights will turn on—a simple yet profound expectation that could be shattered by cyber intrusions.
He further cautioned that the U.S. financial system, often deemed the most fortified against cyber threats, may not escape the ripple effects of widespread cyberattacks. "It may be acceptable for a few local bank branches to be inaccessible, but it is essential to maintain confidence in the system," he argued, stressing the necessity for core financial systems to continue functioning regardless of individual service disruptions.
To fortify this resilience, Matthew Rogers, the ICS Cybersecurity Lead at CISA, explained the agency’s newly launched initiative, CI Fortify. This initiative fundamentally reassesses the infrastructure’s reliance on third-party services, highlighting the precarious nature of vendor connections and leased networks, which might become unreliable in a crisis. Rogers emphasized the need for proactive emergency planning that goes beyond existing cybersecurity protocols. "We must prepare for emergencies rather than merely urging businesses to adhere to standard cybersecurity practices," he stated.
This proactive shift in strategy is termed "real emergency planning," according to Rogers, who added that the initiative takes into account the growing trend of operational technology (OT) automation as well as the impending retirement of seasoned engineers skilled in manual system operations. To address this, CI Fortify will prepare assessments to help organizations test their capacity to operate independently during connectivity outages.
In an ambitious plan to evaluate critical infrastructure, CISA aims to perform approximately 75 to 100 assessments under CI Fortify over the coming year. Each assessment will focus on the ability of these organizations to maintain functionality in isolation. As part of this effort, the Environmental Protection Agency (EPA) is expected to conduct a significant national cybersecurity exercise aimed at the water sector, simulating the management of services in the absence of modern supervisory control and data acquisition technologies.
Rogers acknowledged the staggering scale of the U.S. critical infrastructure, with more than 50,000 water utilities alone. He characterized the number of assessments planned as just a starting point, aiming for a democratization of the assessment process. The materials developed during these assessments will be made publicly available to facilitate widespread awareness and preparedness.
Furthermore, both Andersen and Rogers highlighted the critical nature of prioritization in emergency planning, advocating for a strategic triage framework that would determine which services—be it a trauma center, dialysis facility, or military base—receive priority in resource allocation during crises. The need for these uncomfortable discussions became evident as they recognized that hard choices may have to be made when resources become scarce.
Retired Navy Admiral Mark Montgomery, who once led the Cyberspace Solarium Commission, elaborated on these prioritization discussions, indicating that national security considerations would likely govern decisions during military conflicts. When adversarial cyberattacks aim to cripple U.S. responses, securing military bases may overshadow other priorities.
Finally, Andersen warned that public sentiment might be harsher toward government responses to cyberattacks compared to natural disasters. He emphasized the expectation for immediate resolutions, indicating that the public might not exhibit the same understanding they typically do when faced with a hurricane or other natural calamities.
In conclusion, CISA’s renewed focus on ensuring the operational resilience of critical infrastructure highlights the urgent need for comprehensive planning in the face of growing cyber threats. As adversarial capabilities evolve, so too must the strategies employed by these vital sectors to safeguard America’s essential services and restore public trust.