Cyberattacks continue to grow worldwide, which has increased awareness and concern about utilities, industries, and personal risk. There is a universal understanding that this is a national security threat. In the U.S., I suggest the government consider creating cybersecurity investment tax credits for industry to stimulate more protection.
There have been many incidents that prove cyberattacks can bring down businesses and infrastructure. Most recently, the Colonial Pipeline ransomware attack shut down the largest gasoline pipeline in the U.S., which carries 2.5 million barrels per day of gasoline and other refined fuels.
This cyberattack had the biggest impact on physical operations of critical infrastructure in U.S. history. Some reports attribute the attack to a criminal group called “DarkSide,” known for ransomware attacks. A recent report by Cyberreason estimates that the group has targeted well over 40 victims, with ransom demands ranging from $200,000 to $2 million USD per incident.
On 28 May 2021, Reuters reported that U.S. energy companies are scrambling to buy more cybersecurity insurance after the attack on Colonial Pipeline disrupted the U.S. fuel supply, but they can expect to pay more as cyber insurers plan to hike rates following a slew of ransomware attacks. Fundamentally these companies are trying to hedge risk rather than mitigate root causes.
The lesson from ransomware attacks is clear: national security is at high risk in any country. Cyberattacks, including those targeting automation and control systems, are increasing significantly. My view is the “big game” has not yet started. Winners of classic military battles generally get good reconnaissance and probe at their opponents’ defenses before launching major attacks. Carrying the war analogy further, there are typically campaigns with many battles. “Even as we speak, there are thousands of attacks on all aspects of the energy sector and the private sector generally. . . . it’s happening all the time,” U.S. Energy Secretary Jennifer Granholm told Jake Tapper on CNN’s “State of the Union” cable show, 7 June 2021.
A cybersecurity investment tax credit would work like tax credits for energy conservation that have been around for many years. Energy conservation tax credits had a major goal of achieving energy independence, which was viewed as a national security issue. More recent tax credits include those for installation of alternative energy generation, particularly solar and wind.
A bipartisan group of U.S. House of Representatives members recently introduced legislation to step up cybersecurity literacy and increase awareness among the American public amid the spike in cyberthreats against critical infrastructure. The American Cybersecurity Literacy Act would require the National Telecommunications and Information Administration (NTIA) to establish a cyber literacy campaign to help promote understanding of how to stay safe online and prevent successful cyberattacks.
Cybersecurity tax credits incentivize companies to invest in personnel education and technologies to protect operations and strengthen national security by selecting an appropriate solution for their businesses. As with energy conservation, there are existing standards, product solutions, and guidelines, including ISA/IEC 62443, that need to be applied based on the specific use case.
In the June 2021 issue of InTech, Eric Cosman provided guidance in his article, “Automation Systems Cybersecurity: From Standards to Practices.” It is interesting that companies can take a tax deduction for insurance premiums that only provide a level of financial protection.
I spent a number of years in the energy conservation area and realized the value of investment tax credits to achieve results and stimulate the development of superior solutions. The time is now for action on this topic.
This blog has been repurposed from InTech.