SolarWinds hack revelation provides an illustrative and timely example of how cybersecurity vulnerabilities can affect every organization, with the company’s enterprise software, a network monitoring system, installed at government agencies, including the DOC,DOT, tech giants such as Cisco, Intel, Nvidia, and VMware, and hospitals and universities. SolarWinds breach should come as no surprise. The risk of these supply chain hacks is much higher than previously acknowledged, due to the high level of connectivity across different sectors in the economy.
The US recognizes sixteen designated sectors as critical infrastructure, including transportation and financial services, “whose assets, systems, and networks, whether physical or virtual, are considered so vital to the country that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any of the combination
Enterprise software shows how vulnerabilities affect every sector. Even before the COVID-19 pandemic, many industries relied on VPN ,RDP to enable work away from the office. Ransomware attack are mainly through Exploiting VPN..RDP. Some other exploits SMB like famous WannaCry in 2017
Critical infrastructure classification potentially misses an important aspect of CyberSecurity.This blind spot means that sectors with the greatest output and most cyber-vulnerabilities are not on the current list of critical infrastructures. Researchers provide a way to understand network cybersecurity risk and thereby identify what should be deemed critical infrastructure and when increased cybersecurity measures are needed.
Along with the RAPID7 data , researches created two measures of the networked cybersecurity problem—one that captures productivity effects, and one that captures cybersecurity risk. Risk is calculated based on this to the sectors.
First, some sectors that typically would not be considered a cybersecurity risk rank fairly high, namely professional services. That shouldn’t come too much as a surprise: every sector, including those within the current interpretation of critical infrastructure, use professional services. Second, we found that the correlation between an industry’s own cybersecurity risk and its network cybersecurity risk is very small, whereas the correlation was much larger between a sector’s productivity and the productivity of its supply chain.
This is easiest to see in professional services. Even though professional services might not be traditionally defined as critical infrastructure, every sector uses these services, so any vulnerabilities inherent in it will necessarily propagate across the network.
Two policy recommendations. First, the NIST & BIS should share more data with one another and coordinate over an assessment of cybersecurity risk. NIST could issue guidance that is re-evaluated over time for firms that reside in each of the following risk categories: firms that display systemic risk because of their size and connectivity, sectors that display sufficiently large risk based on the sum total of the firms in the sector and their connectivity to the rest of the economy, and firms in sectors that are lower risk. Such a classification would significantly help in prioritizing precautionary actions, in addition to providing investors and the broader market information about vulnerabilities.