China and other nation-state bad actors are probing the defenses of critical infrastructure worldwide and legacy or outdated systems are prime targets. The time to mitigate that risk is now. Credit: Gorodenkoff / Shutterstock Rare is the element of critical infrastructure ecosystem that doesn’t contain legacy systems declared at end of life (EOL) or outdated and unsupported software or operating systems. Any CISO in charge of safeguarding said infrastructure should aspire to know and refresh often their knowledge of where that legacy tech resides, given the length and breadth of its footprint from operational technology (OT) to information technology (IT). The lack of this knowledge effectively creates risky blind spots for which the CISO will be held both responsible and accountable, as there is no doubt that critical infrastructure sits squarely in the crosshairs of many a potential adversary. According to FBI Director Christopher Wray, China’s “targeting of our critical infrastructure is both broad and unrelenting.” The hackers’ goal is disruption, not financial gain “The fact is, the People’s Republic of China (PRC) isn’t just aimed at stealing American intellectual property,” Wray told the Vanderbilt Summit on Conflict and Emerging Threats. “It’s using that mass, those numbers, to give itself the ability to physically wreak havoc on our critical infrastructure at a time of its choosing.” Wray described a honeypot operation designed to lure PRC hackers, who took 15 minutes to take the bait and steal information relating to command-and-control systems. What made it noteworthy was that in going straight for those command systems, the hackers ignored planted business and financial documents. In other words, the goal was potential mayhem and disruption, not financial gain. While Wray speaks for the United States, the problem is international and there are ample warnings from other governments, such as the United Kingdom, which serve as both echo and confirmation. The importance of critical infrastructure cannot be underestimated If there was ever a piece of critical infrastructure that needed protection more than any other, it’s our drinking water — something we literally cannot live without. If a bad actor was able to wreak havoc with water systems, the consequences would be disastrous. It’s pretty telling then that the US government is concerned enough about the issue to warn those safeguarding the water supply, underscoring that the threat is real and credible. In May 2024, the US Environmental Protection Agency (EPA) issued an enforcement alert to critical infrastructure providers in the drinking water sector known as community water systems (CWS) aimed at reducing cybersecurity vulnerabilities. The enforcement alert put the onus on those systems serving 3,300 or more people to conduct a risk and resilience assessment (RRA) and develop an emergency response plan (ERP). The alert rehashed the efforts of Iran, pro-Russian hacktivists, China and others, and offered assistance to CWSs. It is worthy of approbation that the Biden administration signaled enforcement was on the horizon when in mid-March 2024 the EPA in conjunction with the National Security Advisor crafted a letter to all US governors to discuss the “urgent need to safeguard water sector critical infrastructure.” One of the most chilling examples of an infrastructure breach that succeeded was the Colonial Pipeline ransomware attack carried out by the threat group DarkSide. If water is our most important asset, energy infrastructure is not far behind. The oil pipeline company was forced to shut down its operations and restart, causing regional shortages of oil and many types of fuel. Technical debt is a big problem for infrastructure In the early spring of 2024, a piece in the Wall Street Journal titled “The Invisible $1.52-trillion problem: Clunky Old Software” discussed in depth the scourge and magnitude of the problem known as technical debt. Technical debt can be described as an accumulation of fixes and outdated systems badly in need of updating. And infrastructure, because of the size and cost of building and maintaining public and private projects such as water systems, electrical grids, telecommunications systems, and transportation systems, is particularly prone to an accumulation of such debt. “Technical debt is one of those invisible issues that people either know they have a problem with, or they don’t know, and that’s worse,” Roger Williams, vice president of research at Gartner, tells CSO. “It happens because it’s cheaper and easier to put things off for tomorrow, just like anything we have at home.” Legacy systems were a hot topic at the most recent RSA Conference, and the issue was perhaps best summarized in a presentation by Allan Friedman, senior advisor and strategist at the US Cybersecurity and Infrastructure Security Agency (CISA) aptly titled “All good things: End of life and end of support in policy and practice.” Friedman highlighted a plethora of incidents which were possible when adversaries compromised an obsolete or EOL system. For example, Volt Typhoon threat actors compromised a small office/home office router, which the manufacturer had declared at end of service life and recommended the units be retired and replaced. We’ve been warned before about legacy systems This message is not new. The US Government Accounting Office (GAO) warned government agencies in December 2022 to focus on the OT and IOT within critical infrastructure, pointing the finger at various government departments and agencies in a scathing manner. Resources were made available following the GAO report and are at hand for CISOs in the form of guidance and training from CISA, which is available to all, without national or geographic restriction. “The guides and frameworks provided by CISA are good,” Tim Chase, CISO of Laceworks, tells CSO, “as they are prescriptive, highlighting what is expected and removes the guesswork for CISOs when dealing with government.” Chase says CISOs need to have a solid foundational knowledge of where their information and operational technologies are and make no assumptions that they are up to date or even fully functional. The framework on materiality of incidents provided by the Security Exchange Commission provides infrastructure CISOs with added impetus to get their arms around the EOL/legacy items within their environment. End-of-life systems are not vulnerabilities but risks Friedman noted that in February 2024 it was shared that within the Ivanti Pulse Connect box, there were a good deal of old systems, including a Linux version from 2009 and a routine as old as 23 years. While he noted that EOL is not intrinsically a vulnerability, “It does, however, warrant a review and a plan to maintain without manufacturer or developer support.” Friedman suggests CISOs focus on the things that really matter: Risk awareness Responsibility Patches and updates An established product security incident response team (PSIRT) Planning and risk smoothing None of which is possible if one is blind to what’s inside the box. He also made a strong pitch to take on board the recent provision of numerous pieces of information and assistance within CISA’s software bill of materials (SBOM) website. I’ve opined about SBOMs not being the panacea of supply chain security in the past, with a focus on product and software acquisition. But with respect to legacy systems, the need to dig in cannot be understated. Chase concluded with a strong pitch for the use of frameworks by CISOs in their decision-making processes. He noted that when it comes to defending one’s actions, a framework provides the CISO with fundamental and understandable reasoning to share with the board, C-suite, and any subsequent investigators asking the question about untended legacy systems: “What were you thinking?” More on critical infrastructure security: Biden delivers updated take on security for critical infrastructure Critical infrastructure attacks aren’t all the same: Why it matters to CISOs Defend critical infrastructure from cyber threats like the US Navy protects ships Related content feature How to defend Microsoft networks from adversary-in-the-middle attacks Preventing, investigating, and cleaning up after potentially dangerous AiTM attacks requires a combination of techniques and processes. By Susan Bradley 14 Nov 2024 7 mins Cyberattacks Data and Information Security Security Practices opinion The CISO paradox: With great responsibility comes little or no power Chief information security officers don’t have full command over their domains but they’re still held to account when things go wrong; it’s a high-stakes power imbalance that can be costly. By Tyler Farrar 13 Nov 2024 6 mins CSO and CISO IT Governance Security Practices feature CISA's VDP is going gangbusters but could still be improved Introduced in 2021, the US government’s vulnerability disclosure policy platform has racked up 12,000 bug reports and saved the government millions in remediation costs. By Cynthia Brumfield 12 Nov 2024 9 mins Government Threat and Vulnerability Management Data and Information Security opinion Choosing AI: the 7 categories cybersecurity decision-makers need to understand What exactly is an AI system anyway? CISOs are increasingly relying on AI to support decision-making -- here’s how to look at the systems available in today’s products and what they can accomplish. By Christopher Whyte 08 Nov 2024 10 mins CSO and CISO Security Practices Security Software PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe