Seven Steps To Help Secure Critical Infrastructure
Critical infrastructure and public sector organizations such as governments and municipalities, manufacturing units, communication networks, transportation services, and power and water treatment plants have been battling a growing wave of breaches and cyberattacks. Three main reasons exist why critical infrastructure is being targeted:
• Opportunity for real-world disruption. Attacks on railways, ports or air control systems can create shortages in food supply or halt supply of critical components and resources. Attacks on financial systems like the stock market or large telecom providers can shut down a country’s economic activity.
• Legacy and outdated infrastructure. Many critical infrastructure organizations rely on legacy systems that have either reached their end of life or have not received updates in decades. Such systems and devices have critical vulnerabilities that threat actors can exploit. In addition, the rise of IT and operational technology (OT) convergence—including the need for remote access to OT assets—has substantially increased the attack surface.
• A tool to further national and geopolitical interests. Geopolitical conflicts around the globe have given rise to a new domain of cyber warfare where cyberattacks can be leveraged as a means of espionage, a weapon of mass destruction, carnage or chaos, and a tactic to disrupt a strategic competitor or a rival nation.
Developed after a careful analysis of these challenges, below are seven steps that can help critical infrastructure organizations improve cyber defenses:
1. Formulate A Cybersecurity Program Based On Risk
Start by identifying your priority areas and addressing risky assets. Next, run an in-depth vulnerability assessment to identify weaknesses in hardware, software or misconfigurations. Embark on a comprehensive scenario-planning exercise to identify unique risks based on identified vulnerabilities, threats, challenges and potential situations.
2. Invest In The Right Technological Controls
Critical infrastructure organizations must invest in an integrated defense approach that comprises air gapping and the segmentation of highly sensitive systems and data. They must adopt a zero-trust framework that includes:
- Leveraging next-generation firewalls, intrusion prevention systems and other security controls to detect and prevent external attacks.
- Securing or limiting remote access.
- Limiting privileged access to only a handful of users.
- Implementing rigorous and continuous patching of OT and Industrial Internet of Things.
3. Take Account Of Compliance And Regulations
Critical infrastructure organizations must adhere to several sector-based regulations and frameworks. For example, power grids must implement a series of mandatory controls called the NERC CIP. Similarly, public water sources and the aviation industry must comply with Environmental Protection Agency and Transportation Security Administration guidance. The U.S. government issued a new mandate (CIRCIA) that requires organizations to report attacks within 72 hours and ransomware payments within 24 hours.
4. Train Employees On Cybersecurity Hygiene
It is believed that human error is the biggest risk to industrial control systems. Colonial Pipeline’s CEO told Congress that the May 2021 attack that shut down fuel supply across the eastern U.S. was caused by poor password practices. Moreover, as generative AI matures, threat actors will weaponize deepfakes to impersonate employees and infiltrate organizations using highly targeted social engineering attacks. It is important to train employees to recognize and report phishing attempts.
5. Test And Validate Defenses Regularly
Penetration testing, a type of simulated cyberattack, can help identify gaps in security control and defenses. Since cyberattack vectors and techniques evolve regularly, organizations must perform routine penetration tests to identify critical vulnerabilities and improve security posture. In the case of critical infrastructure, it’s equally important to conduct physical penetration testing, as some attackers will attack air-gapped targets by physically infiltrating their environments and then deploying malware via a physical connection or USB stick.
6. Establish A Vendor Risk Management Program
Threat actors are known to exploit the trust existing between organizations and their third-party suppliers as well as machine-to-machine communication channels to launch attacks against organizations. Like other organizations, critical infrastructure depends on a network of third-party players to grow and operate their businesses.
As seen in the attacks involving SolarWinds or 3CX, threat actors can leverage trusted relationships and interconnected systems to compromise critical infrastructure environments. Organizations must develop strong, robust vendor management risk programs to regularly validate and identify evolving and emerging risks arising from suppliers and channel partners.
7. Opt For Cyber Insurance
While insurance certainly does not equal cybersecurity, it’s always a good idea to have this safety net available. Some critical infrastructure organizations already have a Terrorism Risk Insurance Program (TRIP) in place. However, according to the U.S. Government Accountability Office, these programs provide limited coverage for catastrophic losses arising from cyber events. Additionally, certain cyberattacks may not meet the terrorism criteria.
That said, insurers have introduced exclusions for losses arising from warfare, infrastructure outages and ransomware. Organizations need to evaluate policy inclusions carefully before purchasing insurance.
Critical infrastructure is the backbone of any society. Before the internet age, a physical attack on critical infrastructure would’ve been deemed an act of terrorism or an act of war. Today, these organizations face hundreds and thousands of attacks every day, perpetrated by skilled and highly resourced attackers operating from all corners of the world.
Given the vast scope of attack vectors and security mitigations, it’s impossible to cover all bases. Along with implementing the above guidance and best practices, I advise organizations to collaborate with seasoned cybersecurity teams. These experts can offer an impartial view and deliver IT-OT cybersecurity knowledge that some enterprises may not possess internally.
