The Rhysida ransomware group’s attack on the Port of Seattle, which operates the Seattle-Tacoma International Airport, is just the latest high-profile attack to exemplify the risk critical infrastructure is confronting.

Critical infrastructure providers are often operating with constrained resources and, despite the federal government’s efforts to help fill those gaps, attacks usually cause sweeping damages. Part of the problem, one official said, is that airports wait too long for federal cyber improvement recommendations.

Every U.S. airport is required to assess their cybersecurity resilience and submit improvement plans to the Transportation Security Administration, but there remains a disconnect and delay in how the federal government follows up on these efforts, according to Lance Lyttle, aviation managing director at the Seattle-Tacoma International Airport.

“One way that we could help is if the TSA and Cybersecurity and Infrastructure Security Agency consolidate this information, come up with best practices and actually disseminate it back to the aviation industry,” Lyttle said Wednesday during testimony before the Senate Committee on Commerce, Science and Transportation.

“Currently it’s a one-way street,” Lyttle said. “We’re sending the information but we’re not getting back in a timely enough manner recommendations of how to improve our infrastructure. That would make a major difference.”

That disengagement and lack of follow through puts the most resource-constrained critical infrastructure sectors at a significant disadvantage.

CISA’s cybersecurity performance goals, a roadmap it released two years ago, aims to help organizations operating in what the agency describes as target rich, resource poor supply chains, which are often run by small- to medium-sized businesses.

The agency declined to answer questions about the Port of Seattle attack, but pointed to efforts such as the Joint Ransomware Task Force’s StopRansomware Guide as a resource to help organizations prevent, detect, respond and recover from ransomware attacks.

Airports aren’t alone in tackling the enormity of cybersecurity with limited expertise and resources. Most critical infrastructure organizations are still playing catch-up on cyber resilience efforts, Emily Mossburg, global cyber leader at Deloitte told Cybersecurity Dive. “I don’t think many organizations recognize the true chance for a complete meltdown, if you will, and then having to start over.”

Leaders across government and enterprise need to continue focusing on the true disruption that cyberattacks can bring, including “real harm, in the physical sense, through digital means,” Mossburg said.

Cyberattack recovery is a slog

The Seattle incident resulted in widespread system outages, data theft and encryption, but fortunately, for travelers coming in and out of Seattle, flights and cruises were largely unimpacted.

Most of the systems impacted in the wake of the Aug. 24 attack on the Port of Seattle have been restored but the port’s website, internal portals and the airport’s mobile app are still non-operational.

Port of Seattle officials haven’t said when they expect to resume normal operations, but critical infrastructure organizations and enterprises of all types typically take months to fully recover from a ransomware attack.

“The attack embodies exactly what federal agencies have been warning about for some time now,” Michela Menting, senior research director at ABI Research, said via email.

Ransomware attacks are increasing across sectors, but a larger share is targeting critical infrastructure. More than 2 in 5 attacks reported to the FBI last year hit critical infrastructure, up from one-third of attacks in 2022.

There remains a significant variance in cyber preparedness and risk assessments across the 16 sectors the federal government designates as critical infrastructure, especially as the physical and digital worlds collide in target rich, resource poor sectors, such as ports, manufacturing, water and energy.

The Port of Seattle incident embodies the interconnected nature of critical infrastructure, which spans IT systems and multimodal transportation connected to a region’s economic hubs. Other critical infrastructure sectors, such as hospitals, K-12 school districts or local water utilities, confront a similar imbalance.

“In this case, the attack also shows the increasingly indiscriminate nature of impact to both digital assets such as websites, and cyber-physical systems such as baggage handling systems,” Katell Thielemann, VP distinguished analyst at Gartner, said via email.

While organizations understand it’s only a matter of time before they’re hit with a security incident, Mossburg said many businesses haven’t effectively cordoned off their seed files, builds and crown jewels to facilitate a more swift recovery.

“The issue with ransomware is the way that it moves through the organization and it gets to every instance of data,” Mossburg said.

Cyber preparedness and resiliency requires organizations to develop and adhere to an incident response plan. “Importantly, organizations should be stress testing these on a continuous basis,” Menting said.

“Security leaders must take a hard look at whether they have the right tools to secure both digital and cyber-physical systems,” Thielemann said. “If a ransomware attack can simultaneously affect websites and check-in kiosks, it is time to revisit these tools’ fit for purpose.”