The Florida Bar

Florida Bar Journal

Cybersecurity Threats To Critical Infrastructure

Featured Article

Cyberattacks on critical infrastructure are increasing at an alarming rate.[1] A 2022 survey of organizations in the United States, Japan, and Germany revealed that 89% of responding critical infrastructure firms had experienced cyberattacks impacting production and energy supply over a period of 12 months.[2] The research also found that 40% of respondents were incapable of blocking the initial attack.[3] Additionally, 48% of respondents who reported disruptions do not always make improvements to minimize future cyber threats.[4] Perhaps more alarming, the average cost of a breach on critical infrastructure is rising at a precipitous rate.[5]

The consequences of these attacks far surpass the effects felt on the everyday level. Imagine a hospital that experiences a cyber disruption to its health-monitoring devices that transmit patient health information or an oil refinery or natural gas pipeline that loses the functionality of the operational technology systems that move fossil fuels causing major supply disruptions as well as increases to gas and energy prices. The commonality among cyberattacks to our infrastructure is losing the ability to perform or control a core function. No longer is financial damage the predominant consequence of an infrastructure cyberattacks. Loss of, or injury to, human life are now also in the crosshairs.

A Recent Cyberattack Could Have Poisoned Thousands of Floridians

An example of a cyber-infrastructure threat involved the water treatment plant in Oldsmar, which a threat actor breached, then compromised through remote access, and attempted to change the level of sodium hydroxide, more commonly known as lye, in the water from 100 parts per million to 11,100 parts per million — a likely fatal poisoning event to many of its customers.[6] The threat actor’s identity has not yet been publicly disclosed. Was it some enemy nation-state or some other highly sophisticated threat actor? Not likely. Experts who have evaluated the attack reported that the breach and compromise were not a particularly sophisticated attack but were, instead, the digital equivalent of passing through an unlocked door.[7] No demands for ransom have been acknowledged — at least publicly. It seems likely to have been either malice or mischief. The “why” is not as important as the “how.” Simply stated, the Oldsmar plant’s cybersecurity mechanisms were well-short of what ought to be generally accepted standards.

Thankfully, the alteration in the lye concentration was immediately detected by a plant operator who normalized the levels before the attack had any impact on the system, therefore, averting a potentially lethal threat. Many, however, would agree that Oldsmar and its customers were lucky the result was not worse.

A Cyber Breach at Colonial Pipeline Triggered A National Emergency

Another attack on our infrastructure was the May 7, 2021, ransomware attack on the Colonial Pipeline — a system of more than 5,000 miles of pipelines from Texas to New Jersey, which disrupted fossil fuel distribution throughout the East Coast of the United States causing a spike in gas prices, panic buying, and localized fuel shortages.[8] As a result, the U.S. president issued a declaration of emergency on May 9. Due to the Colonial Pipeline’s poor cybersecurity hygiene, a bad actor installed ransomware on the Pipeline’s IT network, crippling its functionality, by accessing its systems through a network user profile that lacked an industry standard multifactor authentication safeguard. The pipeline’s CEO, Joseph Blount, Jr., testified to the U.S. Senate that the network profile used by the bad actor was not intended to be in use.[9] Although the hack was attributed to the infamous Russian hacking group DarkSide, the pipeline was forced to pay $5 million to the bad actor to regain access to its IT network. Blount recounted that the pipeline had a general emergency response plan, but nothing implemented to proactively mitigate against a ransomware attack. The pipeline resumed operation by May 13, 2021, but the systemic consequences of this attack were still felt weeks later and highlighted the need for a prompt refocus on our nation’s infrastructure cybersecurity practices.

A Cyberattack Disrupted Our Meat Supply

In June 2021, JBS USA Holdings, Inc., paid $11 million in bitcoin to resolve a ransomware attack. Like the Colonial Pipeline, JBS was little known to consumers before the attack went public. JBS is the world’s largest meat processing company by sales, according to the Wall Street Journal.[10] It’s subsidiary, Pilgrim’s Pride, Inc., was also hit with the attack. Public reports indicate that JBS was well-prepared to recover from a cyberattack and was able to restore operations after a few days, through the use of encrypted backup, but JBS negotiated for and paid the ransom anyway to reduce the threat of additional attacks during the recovery period.

Cyberattacks On Hospitals Reportedly Lead To Deaths

Public reports are ubiquitous regarding cyberattacks on the health-care industry. Politico reported that:[11] 1) A 2021 study from Proofpoint and the Ponemon Institute, which surveyed more than 600 health-care facilities, found that mortality rates increased at a quarter of the facilities following a ransomware attack; 2) In 2020, a ransomware attack forced a hospital in Düsseldorf, Germany, to close its emergency department and a patient died in an ambulance while being rerouted to another hospital; and 3) In 2020, a woman sued an Alabama hospital after the death of her newborn baby, alleging that doctors failed to carry out critical pre-birth testing due to a cyberattack on the hospital.

Florida Lawyers Must Join The Fight To Increase Cyber-Resiliency

The increasing cyberthreats to our infrastructure present a clarion call for attorneys working for hospitals, municipal utilities, and governments, as well as those attorneys working for government contractors to be proactive in reducing the risks of cyber threats to their respective clients. Attorneys must first recognize that this threat is on their doorstep as well. By recognizing this risk, attorneys can begin to counsel their clients on and prepare them for this incipient cyber threat. We are not alone, however. Attorneys have several resources from the state and federal government to help protect our public infrastructure clients.

Federal Initiatives to Combat Attacks On Critical Infrastructure

The Federal Government has been actively working toward improving our public infrastructure cyberthreat resiliency. Among the initiatives are:

Cybersecurity & Infrastructure Security Agency — According to its website, the agency (CISA),[12] which was created in 2018, “leads the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure.”[13] CISA has identified 16 critical infrastructure sectors whose “assets, systems, and networks…are considered so vital…that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”[14] Entities operating within these sectors may be subject to federal regulations and civil penalties if they were to sustain a cyberattack that is directly correlated to their underperforming security practices.[15]

Cyber Fraud Initiative — In October 2021, the Department of Justice announced its cyber fraud initiative, which uses its civil enforcement tools to pursue government contractors when they fail to follow required cybersecurity standards or misrepresent their cybersecurity preparedness.[16] The initiative pursues cybersecurity-related fraud by government contractors (through the False Claims Act). Under the directive, the Department of Justice intends to hold accountable entities or individuals that put U.S. information or systems at risk by: 1) knowingly providing deficient cybersecurity products or services; 2) knowingly misrepresenting its cybersecurity practices or protocols; or 3) knowingly violating obligations to monitor and report cybersecurity incidents and breaches. Lawyers representing government contractors need to be cognizant of this initiative.

May 12, 2021, Executive Order No. 14028 — On May 12, 2021, the U.S. president issued Executive Order No. 14028 to further improve our nation’s defenses on infrastructure by removing barriers and encouraging information sharing between the government and the private sector.[17] The executive order also modernizes and implements stronger cybersecurity standards in the federal government by directing federal agencies to take decisive steps to modernize their cybersecurity approach. Among other things, these steps include adopting security best practices, advancing toward Zero Trust Architecture,[18] and investing in both technology and personnel to match these goals. The order also standardizes the federal government’s response to cybersecurity vulnerabilities and incidents by directing federal civilian agencies to develop a standard set of operational procedures to be used in planning and conducting a cybersecurity vulnerability and incident response activity. This can also be used by the private sector in connection with its cybersecurity responses.

Cyber Incident Reporting for Critical Infrastructure Act — In March 2022, the Cyber Incident Reporting for Critical Infrastructure Act was signed into law. The act requires critical infrastructure operators and federal agencies to report cyberattacks to CISA within 72 hours and must report ransomware payments within 24 hours. The act gives CISA the authority to subpoena companies that fail to report cybersecurity incidents or ransomware payments; and failure to comply with the subpoena can be referred to the Department of Justice.

But What About Florida?

Last year, Florida initiated a statewide assessment into the cybersecurity of both public and private critical infrastructure[19] and launched the Florida Cybersecurity Task Force. The appropriation provides $7 million in funding to Cyber Florida — an institution that provides cybersecurity education, academic and practical research to the state of Florida[20] — to conduct a comprehensive risk assessment. The assessment is part of a significant investment by the Florida Legislature to enhance the state’s cyber resiliency and includes a $30 million statewide cybersecurity awareness and upskilling training program. The Florida Cybersecurity Task Force operates adjacent to the Department of Management Services to review and assess the state’s cybersecurity infrastructure, governance, and operations.[21] With the growing cyberthreats targeting our nation’s critical infrastructure, Florida’s efforts in containing, mitigating, and proactively addressing its own infrastructure is an important first step that hopefully will lead to more robust programs to improve our state’s cyber resiliency.

Conclusion

Failing to prepare for threats to critical infrastructure can lead to catastrophic events. It is imperative that attorneys working within the critical infrastructure sector review and update their incidence response plans to ensure that they comply with federal standards, institute new training and awareness initiatives, and adhere with the updated reporting requirements.

[1] Joe Mariani, et al., Incentives are Key to Breaking the Cycle of Cyberattacks on Critical Infrastructure, Deloitte (Mar. 8, 2022), https://www2.deloitte.com/us/en/insights/industry/public-sector/cyberattack-critical-infrastructure-cybersecurity.html.

[2] Trendmicro, Cyber-Attacks on Industrial Assets Cost Firms Millions, Trend (June 2, 2022), https://newsroom.trendmicro.com/2022-06-02-Cyber-Attacks-on-Industrial-Assets-Cost-Firms-Millions.

[3] See id.

[4] See id.

[5] IBM Report: Consumers Pay the Price as Data Breach Costs Reach All-Time High, IBM (July 27, 2022), https://newsroom.ibm.com/2022-07-27-IBM-Report-Consumers-Pay-the-Price-as-Data-Breach-Costs-Reach-All-Time-High.

[6] Maggie Miller, Hackers Breach, Attempt to Poison Florida City’s Water Supply, The Hill (Feb. 8, 2021), available at https://thehill.com/policy/cybersecurity/537890-hackers-breach-attempt-to-poison-florida-citys-water-supply/.

[7] Greg Murphy, Securing Tomorrow’s Smart Cities With Lessons From Today’s Enterprises, Forbes (Mar. 25, 2021), available at https://www.forbes.com/sites/forbestechcouncil/2021/03/25/securing-tomorrows-smart-cities-with-lessons-from-todays-enterprises/?sh=5777861ca4e3.

[8] Christopher Bing, et al., U.S. Seizes $2.3 mln In Bitcoin Paid To Colonial Pipeline Hackers, Reuters (June 7, 2021), https://www.reuters.com/business/energy/us-announce-recovery-millions-colonial-pipeline-ransomware-attack-2021-06-07/.

[9] Committee on Homeland Security, U.S. House of Representatives, 117th Congress, Cyber Threats In The Pipeline: Using Lessons From The Colonial Ransomware Attack To Defend Critical Infrastructure (June 9, 2021), available athttps://www.congress.gov/event/117th-congress/house-event/LC66855/text?s=1&r=71.

[10] Jacob Bunge, JBS Paid $11 Million to Resolve Ransomware Attack, Wall Street J., June 9, 2021, available at https://www.wsj.com/articles/jbs-paid-11-million-to-resolve-ransomware-attack-11623280781.

[11] Maggie Miller, The Mounting Death Toll of Hospital Cyberattacks, POLITICO (Dec. 8, 2021), https://politi.co/3XRhXBH.

[12] The Cybersecurity & Infrastructure Security Agency (CISA) routinely issues advisories and alerts for those who want, or need, to stay current on cyberthreats. Sign up here: https://www.cisa.gov/uscert/ics/ICS-CERT-Feeds.

[13] CISA, About CISA, https://www.cisa.gov/about-cisa.

[14] Presidential Policy Directive 21 (PPD-21), National Infrastructure Protection Plan (NIPP), and federal policies identified and categorized U.S. critical infrastructure into the following 16 critical infrastructure sectors: chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, materials, and waste, transportation systems, water and wastewater systems; CISA, Critical Infrastructure Sectors, https://www.cisa.gov/critical-infrastructure-sectors.

[15] CISA, CFATS Laws and Regulations, CFATS Enforcement, https://www.cisa.gov/cfats-enforcement.

[16] U.S. Department of Justice, Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative (Oct. 6, 2021), https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.

[17] The White House, Executive Order on Improving the Nation’s Cybersecurity (May 12, 2021), https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.

[18] “Zero trust…[seeks to] minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. The goal is to prevent unauthorized access to data and services and make access control enforcement as granular as possible.” CISA, Zero Trust Maturity Model, https://www.cisa.gov/zero-trust-maturity-model.

[19] See H.B. 5001, Appropriation 2944B; Cyber Florida, Cyber Florida Launches Statewide Cybersecurity Risk Assessment for Critical Infrastructure (Oct. 21, 2022), https://cyberflorida.org/2022/10/cyber-florida-launches-statewide-cybersecurity-risk-assessment-for-critical-infrastructure/; Department of Management Services, Cybersecurity Task Force, Overview, https://www.dms.myflorida.com/other_programs/cybersecurity_advisory_council/cybersecurity_task_force.

[20] Cyber Florida, Our Mission, https://cyberflorida.org/about/.

[21] See H.B. 5301, defined in Fla. Stat. §20.03(8); Florida Department of Management Services, Cybersecurity Task Force, https://www.dms.myflorida.com/other_programs/cybersecurity_advisory_council/cybersecurity_task_force.

Franklin L. Zemel

Franklin L. Zemel focuses on privacy and cybersecurity appellate law, business law, civil rights litigation, securities, antitrust, complex commercial litigation, and labor and employment law. He represents large and small businesses, manufacturers, and religious entities in South Florida and has several significant reported cases.

 

Austin G. StrineAustin G. Strine represents clients in complex civil litigation in state and federal courts. His experiences include data privacy and cybersecurity issues, commercial breach of contract claims, and corporate and shareholder disputes and business defamation cases. Strine completed a Harvard University course on Managing Cybersecurity Risk in the Information Age and a Northwestern Pritzker School of Law course on Data Privacy Law and Data Protection.

Erik J. VanderWeydenErik J. VanderWeyden focuses his practice on cybersecurity and data privacy, tax controversy, and community association law. He counsels clients on cybersecurity incident preparation and response, data privacy and protection matters, and regulatory and internal compliance.