A number of high-profile incidents show that the need for critical infrastructure security has never been greater. These essential industries are being challenged due to the accelerated change brought on by the digital revolution as well as evolving sophistication of strategies used by cyber attackers.
Critical sectors are typically defined as those falling within the following categories:
- Power, utilities, and renewables
- Oil, gas, and mining
- Water
- Telecommunications
- Transportation
- And, increasingly, space-related sectors such as satellite manufacturing and launching industry
Successful attacks on this type of infrastructure can not only lead to billions of dollars of damage, but also put public safety and national interests at risk. An extreme example is an unsuccessful, but close attempt, to poison the Oldsmar (Florida) water plant’s water supply by altering pH levels through its computer systems.
Attacks on critical infrastructure seem to be growing more frequent as nations compete for resources and political leverage. State-sponsored cyber activity is a particularly nefarious threat facing critical infrastructure operators.
Tips for Managing Cybersecurity for Critical Infrastructures
Before we look at what an effective cybersecurity approach for critical infrastructure looks like, let’s take a look at important guidelines to keep in mind as you find the right solution for your organization:
Don’t confuse compliance with security – Regulatory compliance is important for managing risk in increasingly complex compliance landscapes. However, it’s not a substitute for a dedicated security framework.
Analyze and understand third-party risks – Critical infrastructure operators usually operate within complex supply chains that may involve multiple subcontractors at different levels. Partners must understand and adjust for the risk of these points-of-contact.
Implement a Robust Incident Response Procedure – Proactively adopting security standards is not enough. You also need to be able to monitor, respond, and report effectively to cyber incidents to mitigate damage and stay compliant.
Finally, remember to approach critical infrastructure cybersecurity across all facets of your organization:
- People
- Processes
- Technology (both IT and OT)
What is the Best Cybersecurity Approach for Critical Infrastructures?
Due to the increasingly complex and diverse nature of critical infrastructure assets, it’s impossible to identify a single, one-size-fits-all approach that will satisfy the security needs and threat landscape of all entities.
However, we do know some of the most desirable features that an optimal security approach should have.
Adoption of a Hybrid Normative Cybersecurity Framework
Studies have shown that a cybersecurity approach that utilizes both a horizontal and vertical adoption to protect critical infrastructure from a regulatory standpoint are more effective.
Horizontal frameworks are usually more general in nature, covering a broader and more flexible spectrum of guidelines across entire industries or jurisdictions. For example, ENISA’s Normative Framework that covers both binding public sector initiatives and private sector norms. Vertical standards apply to a more specific sector, such as the Critical Infrastructure Protection (CIP) standards for the electrical sector.
The areas of focus of these two types of standards tend to complement each other well for a more robust and regulation-compliant cybersecurity solution. Standards like the ISA/IEC 62443 help guide organizations through implementing necessary cybersecurity measures in industrial automation and control systems (IACSs).
Automation and Systemization
Implementing an automated and systemized approach when securing critical infrastructure is important for two reasons: Firstly, it helps to ensure the consistency, reliability, and repeatability of cybersecurity configurations. Secondly, it limits the potential effect of human error in either causing or exacerbating cybersecurity incidents.
Human error is still shown to be one of the main contributors to cyber incidents. Not only during everyday actions where they can fall victim to credential hacking, phishing, or social engineering, but also by making mistakes during configuration of security settings and policies. While not as common, there is always the threat of an employee or insider deliberately sabotaging security measures. Incidents due to human error are also typically harder to detect as they are only revealed by intense auditing.
Automating and systematizing the configuration of security configurations is therefore critical to try and limit the impact of human error. Both at the initial configuration and by providing checks and balances down the road to align configurations on a regular basis with accepted standards.
Decision-Making and Configurability
Cybersecurity standards for an organization should support users to make the right security-related decisions without unduly influencing or affecting their ability to make those decisions. No matter how intelligent your cybersecurity solution, there are still certain decisions that only users (humans) can or should make.
One example is the configuration of security zones whereby devices or systems within the same zone must all adhere to the same “achieved security level” (SL-A). Asset owners should be able to easily apply security configurations and settings to separate zones according to the asset priority, threat audit, and risk assessment.
Asset owners should have the leeway within the framework of the standards to make these decisions and apply security settings. However, the solution can support this decision-making by, for example, running scans to find mismatches between configurations and recommended standards.
Conclusion
While there’s no “one” correct way how to approach cybersecurity in critical infrastructures, security decision-makers have plenty of experience-based knowledge to rely on. Adopting existing standards, approaching the systemization of cybersecurity holistically, and learning to find the correct middle-ground between normative standards and individual requirements are key elements.
Sources
A Systematic Approach to Checking Cybersecurity for Critical Infrastructure
