CrowdStrike bug and risk of cascading failures

During World War II, the United States Army Air Forces twice attacked ball bearing factories in Schweinfurt on the grounds that disruption of production activities would impact Germany’s ability to produce many types of war machines.

This pattern holds true today in the world of cybersecurity, where a leak attack in one industry has broader consequences for the ecosystem. Impact of cyberattack on Colonial Pipeline American Airlines operations at Charlotte Douglas Airport. The Russian NotPetya cyber attack on Ukraine has leaked onto the Internet, impacting supply chains around the world.

At the S4 Conference in 2023 Josh Corman spoke on stage about the possibility of cascading failures. Critical national functions of the Cybersecurity and Infrastructure Security Agency were born from the need to coordinate cybersecurity in critical infrastructure sectors. In his speech, Josh shared how, for the health care sector to fulfill the national critical function of “delivering patient care,” hospitals need support from several critical infrastructure sectors, including water, energy, transportation and emergency services.

If a critical cyber incident against a single pipeline or shipping company could have clear supply chain consequences, what would a cyber incident look like across multiple segments of the economy? The consequences can be profound.

What’s more annoying is that this isn’t a new problem. It was estimated that SQL Slammer occupied one in 1,000 computers worldwide over 21 years ago. Unlike the CrowdStrike bug, which was the subject of a Congressional debate last week, Slammer was an intentional exploit for which a patch was available for more than six months. While there are certainly differences between the two events, the software doesn’t care about intentions, motives, or geopolitics.

Digital technology has spread into every aspect of our lives we rely on, including cars, water utilities, energy generation and medical devices, bringing enormous societal benefits. Research by Claroty Team82 shows that there is unsafe code and misconfigurations in technology that have historically caused problems in software, and that can impact the physical world. It is no exaggeration to say that the consequences for national security, economic security and public safety are enormous and potentially devastating.

Although the CrowdStrike event caused personal inconvenience and businesses suffered losses, the world has already moved on. But before we close this short chapter in our digital history, it is an important moment for reflection and action for both businesses and governments to prevent a broader and more painful event in the future.

Cyberattacks on cyberphysical systems: the moving red line

Every water treatment plant, energy utility, manufacturing plant and office building – including military bases and hospitals – uses digital equipment to achieve important goals. These connected devices are called cyber-physical systems (CPS) and have the ability to gain insight into conditions or effect changes in the physical world. The reality is that there are billions of tiny computers supporting every aspect of our lives today, bringing enormous benefits to society. However, the soft underbelly of this digital society is digital risk, and we have seen cybercriminals and nation states exploit the flaws in our digital lives to cause harm.

The first noticeable attack on CPS was the so-called Stuxnet malware in 2014, it hampered Iran’s nuclear enrichment program, causing centrifuges to run wild, out of control, while indicators suggested everything was operating normally. Other events have taken place in the last decade, including: IndustrialistRussian malware that damaged part of the power grid serving the Kiev region in Ukraine for an hour in 2016; the Iranian attack attempt on Israeli water utilities in 2020; and Chinese intrusions into US critical infrastructure including energy and waterworks in 2023.

The bottom line about some of these incidents – especially unintentional ones like the CrowdStrike bug – is that cybercriminals and hostile nation states are using them as an opportunity to understand vulnerabilities in critical infrastructure resilience, private and public sector response, and security impacts. national, economic security and public safety.

China has begun to expand its goals from espionage to penetrating US critical infrastructure and military infrastructureto deprive the US of combat capability and sow confusion in the country in the event of conflict. The reality is that the digital infrastructure that provides so many societal benefits is also our digital Achilles heel. We should see a creeping line of IT attacks moving into the CPS and impacting the real world for what it is: a red line that our adversaries will continually cross to achieve their goals.

The CrowdStrike Mistake: Maintaining Perspective While Understanding the Broader Implications

Let’s be clear: the CrowdStrike bug was nothing more than a bug coupled with vulnerabilities in the quality assurance process. Mistakes happen even to best-in-class organizations. However, something has changed in our digital dependence over the last few years. Unlike information systems, the physical side of a cyber-physical system may be an oil pipeline, a foundry, or a patient in a hospital. The physical consequences of failure are broader and more dangerous than ever before.

Although attacks on CPS are rare, it is important to remember that many of the systems that manage or control them run on Windows operating systems. Except that over 25% of the 1,181 vulnerabilities CISA catalog of known vulnerabilities are based on Windows operating systems, even more complicated is the necessary culture of reluctance to change in operating technology and long periods of technological obsolescence of industrial devices creating greater cyber risks. What if a nation-state directly attacked CPS on U.S. critical infrastructure in a way that was harder to fix than the CrowdStrike bug?

What can be done?

Despite the high cyber risk associated with many CPSs, replacing this insecure infrastructure deployed in resource-intensive enterprises and government facilities will require years to replace. In the meantime, three key actions need to be taken:

1. Operationalizing compensatory controls. With an inventory of assets and a clear understanding of known good communication patterns, organizations can make progress in implementing compensatory controls, such as network segmentation or secure access, that limit the ability of machines or users to connect to these sensitive systems.
2. Extension of Secure-by-Design to CPS. In April 2023, CISA introduced a familiar but critical concept Safe by designthat need to be expanded and focused on CPS with medical device manufacturers and automation solution providers.
3. Use secure programs on demand. Recently CISA introduced Secure on Demanda body of work that includes asset owner-recommended questions to ask software vendors before, during, and after purchase to shape market forces toward producing more secure software.

While the adoption of CPS drives innovation and efficiency, the nature of these assets creates new forms of risk. If one link in the global supply chain fails, the failure can spread to other industries and impact critical services. The CrowdStrike incident was not a malicious attack, but a simple, faulty content update in a ubiquitous cybersecurity tool literally brought down some airlines, emergency services and hospitals. Disruption poses a real threat to economic and national security, and we must understand the role CPS plays in the smooth functioning of everyday society.

Grant Geyer is the Chief Strategy Officer at Claroty Ltd., an industrial cybersecurity company. Previously, he was a resident director at Scale Venture Partners, an executive at RSA and Symantec, and served as a military intelligence officer in the U.S. Army. He wrote this article for SiliconANGLE.

Photo: SiliconANGLE/Ideogram