With recent reports estimating total global damages related to cyberattacks will surpass $9.5 trillion in 2024 and the FBI predicting U.S. losses of more than $10.2 billion, cybercrime has become one of the most pressing security issues of our time. Even worse, cybercriminals are increasingly targeting more than just businesses and individuals. The world’s critical infrastructure—think hospitals, ports, electric utilities, natural gas companies and banks—suffered 13 cyberattacks per second in 2023 (a 30% year-over-year increase), with damages going far beyond simple dollars and cents.
The U.S. Cybersecurity & Infrastructure Security Agency defines critical infrastructure as a “a complex, interconnected ecosystem of assets, systems, and networks that provide functions necessary for our way of life.” Any threat to these sectors “could have potentially debilitating national security, economic, and public health or safety consequences.”
On the less malignant side of the spectrum you have hackers and so-called hacktivist groups sharing information with one another and looking to breach cybersecurity systems for a number of reasons, either because they enjoy it and want to earn bragging rights, or to make a political or social statement, says Tracy Gregorio, founding CEO of Norfolk-based G2 Ops Inc, one of state’s top cybersecurity services firms.
For instance, a spoof attack might appropriate a high school emergency alert system to text-blast a lewd joke about a principal or teacher. A more serious intrusion could seek to protest municipal politics—like Anonymous’s 2011 attack on San Francisco’s public transport body—by bringing automated public transportation systems to a grinding halt.
More nefarious cybercriminal actors and syndicates use mechanisms like malicious software, phishing schemes, satellite hacking, and more to penetrate defenses and wreak havoc that has far-reaching impacts. The Russian-linked cyber gang, Sandworm, for instance, hacked Ukrainian power grids in 2022 causing a pair of mass blackouts—and experts believe Chinese-backed groups like APT41 are currently laying the groundwork to attempt the same in the U.S. A 2021 ransomware attack by another Russian bad actor shutdown the Colonial Pipeline for a week, disrupting the distribution of 45% (around 700 million gallons) of all refined petroleum products consumed on the East Coast and causing, for example, temporary closures at nearly 50% of gas stations in North Carolina and Washington, D.C.
Closer to home, a 2021 breach of the Virginia legislative branch downed servers and systems that handle everything from drafting bills to storing voicemails to reporting budgetary line items.
“These groups are highly sophisticated and they’re often backed or protected by governments like Russia, China, North Korea and Iran,” says Gregorio, who has worked as a top-level software engineer, computer scientist and cybersecurity expert for more than 35 years. Deep resources enable them to doggedly search for weaknesses in digital security infrastructure “and pursue them relentlessly.” Furthermore, they quickly disseminate information and collaborate around vulnerabilities, new technologies and strategies, “which enables bad actors to advance their capabilities at an extremely rapid rate.”
That means the critical infrastructure sector must be equally vigilant and forward-thinking to stay ahead. But what we want to know is: Are vital companies, agencies and organizations in Coastal Virginia doing enough?
“The short answer is that while significant strides have been made in cybersecurity, the landscape of cyber threats evolves so rapidly that our defenses need constant updates and enhancements,” says Gregorio. The critical infrastructure sector is making efforts to protect itself, “but the challenge is monumental and ongoing. Cybersecurity is not a one-time fix but a continuous [and costly] process of risk management, threat assessment, and response planning.”
Dominion Energy spokesperson Cherise Newsome says the utility is meeting the challenge.
“Protecting the physical and cybersecurity of the power grid is of paramount importance and fundamental to our mission of providing reliable, around-the-clock power to our customers,” Newsome wrote in an email. Dominion invests millions of dollars a year in cybersecurity and uses “multiple, overlapping layers of protection that includes human, physical, and technological defenses.”
The company also follows FBI recommended best practices like coordinating security measures with local, state and federal law enforcement to stay abreast of new or emerging threats, ensure state-of-the-art defenses are in place, and more.
“As threats evolve, so do our defenses,” says Newsome. “We continuously adjust our security measures to guard against the latest threats, and we constantly evaluate what additional investments are necessary to strengthen the reliability and security of the power grid.”
Southern Co., the parent company of Virginia Natural Gas (VNG), which serves more than 300,000 residential, commercial and industrial customers in southeast Virginia—director of technology security, Robert Mims, also asserts his company’s cyber readiness.
“We recognize that advanced cyber adversaries are constantly improving their capabilities and testing the defenses of companies across all critical infrastructure sectors,” says Mims. In response, VNG has invested heavily in a cybersecurity program that protects “both customer information and critical infrastructure.”
Mims says the program works by leveraging “a cross-functional, risk-based, ‘defense-in-depth’ approach to prevent, detect, identify, mitigate, respond to, recover from, and generally manage risks from cybersecurity threats and incidents that may result in material adverse effects on the confidentiality, integrity, and availability of Southern Company information systems.”
Like Gregorio, he’s quick to emphasize no single technology, process or control can effectively prevent or mitigate against all attacks. Instead, VNG employs “multiple technologies, processes and controls, all working independently but as part of a cohesive strategy to minimize overall risk.”
Both the strategy and its mechanisms are run through an ongoing gauntlet of rigorous, near-constant testing. VNG conducts routine “auditing, penetration testing, vulnerability testing, and other exercises designed to assess effectiveness.” Recognizing that front-line security measures are not 100% failproof, the company builds resiliency into its systems “through architecture design, business continuity plans, and disaster recovery plans, and regularly tests these plans through real world events and exercises.”
Lastly, Mims says VNG partners “with energy sector and U.S. government agencies to share cyberthreat intelligence and ensure they’re positioned to provide support in the event of a nation-state attack.”
Gregorio applauds these efforts but emphasizes the need for continued vigilance throughout all critical infrastructure sectors.
“While entities in Coastal Virginia are indeed making efforts to safeguard against cyberthreats, the dynamic nature of these risks requires an ever-evolving, multifaceted approach,” she says. “By focusing on comprehensive risk management, collaboration, advanced technologies, regulatory excellence, public-private partnerships, and resilience, we can fortify our defenses against the growing threat of cyberterrorism and cyberattacks.”
