In his Tech Talk, Mr. Victor Murray, Assistant Director of the High Reliability Systems Division at Southwest Research Institute, provided an in-depth discussion on cybersecurity threats, real-world incidents, and best practices for risk management in safeguarding critical infrastructure.
Mr. Murray began with an argument: cybersecurity requires a risk management approach rather than striving for an unattainable completely secure system. He explained that cyber incidents often arise due to access vulnerabilities and user errors, which can have severe consequences. To illustrate the impact of human error, he recounted an incident where a single mistake led to a recovery effort spanning seven months, demonstrating the critical need for vigilance in cybersecurity practices.
Expanding on the motivations behind cyberattacks, Mr. Murray categorized them into financial gain and geopolitical objectives. Ransomware attacks, aimed at extorting money, have become increasingly prevalent. He cited the ransomware attack on the Colonial Pipeline’s billing system, which led to a five-day operational halt, a fuel shortage on the East Coast, and a ransom payment exceeding four million dollars, though approximately two million dollars were recovered.
“Risk management is how everybody should be managing their cybersecurity. There is no such thing as a completely secure system.”
Mr. Victor Murray
Assistant Director, High Reliability Systems Division
Southwest Research Institute
Further illustrating the ramifications of cyberattacks, Mr. Murray discussed how cyberattacks can be leveraged as tools of warfare, influencing national security operations in ways previously unseen. A powerful example of this tactic was the coordinated cyberattack on Viasat, a U.S. communications company, on the eve of the Russian invasion of Ukraine. By exploiting weaknesses in network management, attackers wiped router firmware and caused a denial-of-service attack. This incident resulted in a significant internet outage over Eastern Europe, disrupting Ukrainian military communications during the invasion.
Given the increasing frequency and complexity of cyber threats, Mr. Murray stressed the importance of cybersecurity beyond just operational concerns. Protecting critical infrastructure is vital for ensuring regulatory compliance, maintaining economic stability, preserving public safety and trust, and strengthening resilience against cyberterrorism.
To effectively combat cyber threats, a multi-layered approach is necessary. Detection mechanisms, adherence to established frameworks and standards—such as those developed by the National Institute of Standards and Technology (NIST)—and, most crucially, effective risk management are key components of a strong cybersecurity strategy. Mr. Murray reiterated that "risk management is how everybody should be managing their cybersecurity," reinforcing the notion that no system can be completely secure. Collaboration and information sharing are also crucial to cybersecurity, as timely communication can be instrumental in mitigating cyber threats before they escalate.
In his final remarks, Mr. Murray made clear cybersecurity is not just a technical issue but a fundamental aspect of national and economic security in an increasingly interconnected world.
