We hear a lot these days about critical infrastructure, and the importance of protecting it. But what exactly is “critical infrastructure,” what are the greatest threats to it, and what are the best ways to protect it from those threats?
What is Critical Infrastructure?
According to the U.S. Department of Homeland Security (DHS), which is the federal agency charged with oversight of its protection, critical infrastructure consists of “the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
Substitute any other nation for “United States” and the definition remains equally applicable — for any nation to assure the safety, health and welfare of its citizens, that nation must make critical infrastructure protection a top priority. DHS lists 16 critical infrastructure sectors and assigns primary sector-specific responsibility to each sector. For a complete list of the sectors, and the agencies assigned to each, visit the DHS website.
What are the primary threats facing critical infrastructure?
Now that we have our working definition of critical infrastructure, let’s look at the primary threats to it.
A generation or two ago, those threats were pretty much all tangible, physical threats that could be countered with tangible, physical defenses. Think old war movies — blowing up or defending bridges and railroad tracks, etc. Those kinds of tangible, physical threats continue today, as do natural disasters, such as hurricanes, floods and wildfires, and they can cause serious harm to people and nations.
The inclusion of “virtual” infrastructure in the DHS definition is a relatively new phenomenon, and the primary threats to that infrastructure are even more difficult to counter. Sometimes the virtual infrastructure combines with the physical — attackers may attempt to use virtual control systems to deliver physical threats or make virtual threats to physical infrastructure — creating the need for a multi-faceted response. This combination of virtual and physical is growing exponentially today, as virtual connections to physical infrastructure, aka the internet of things (IoT), become increasingly mainstream.
How do we protect critical infrastructure?
With that definition and understanding of what critical infrastructure is, and what types of threats endanger it, let’s examine how we should protect it.
The Cybersecurity and Infrastructure Security Agency (CISA), created by Congress in November 2018, is the DHS agency charged with primary critical infrastructure protection responsibility.
CISA, according to its website, “leads the coordinated national effort to manage risks to the nation's critical infrastructure and enhance the security and resilience of America's physical and cyber infrastructure.” Breaking down this summary statement, CISA identifies three key elements of critical infrastructure protection:
- managing risk to that infrastructure;
- enhancing security of that infrastructure; and
- enhancing resilience of that infrastructure.
Let’s look at these three elements in the context of the growing virtual threats to physical and virtual infrastructure.
Managing risk to critical infrastructure
The National Risk Management Center (NRMC), an entity within CISA that also came into existence in 2018, leads the charge when it comes to the agency’s risk management guidance. NRMC identifies itself as “a planning, analysis, and collaboration center working to identify and address the most significant risks to our nation’s critical infrastructure.”
We point to the words “most significant” as the central theme of risk management. No defense plan will provide absolute protection against all risks; the cornerstone of effective risk management is prioritization — identifying the most significant risks and taking actions to mitigate those risks.
Risk-based prioritization is one of the primary components of effective cyber risk management. It is also a key component of the discipline of Cyber Exposure. Cyber Exposure recognizes that the modern attack surface reflects the increasing convergence of the virtual and the physical, and that as connectivity increases, so does the risk of cyber attack. Managing that risk is essential to the protection of critical infrastructure today, and will become even more essential in the future.
Enhancing security for critical infrastructure
Enhancing security is, perhaps, the most fundamental component of critical infrastructure protection.
In the physical world, doing so involves basic actions such as locking doors, putting up fences and similar steps to address physical vulnerabilities. Similarly, in the cyber realm, security means identifying virtual vulnerabilities and addressing those vulnerabilities.
Practicing good cyber hygiene is Step 1 in enhancing cybersecurity. Lapses in basic cyber hygiene are the primary cause of security breaches. Bad actors are able to get through cyber “doors” when device owners do the following: use poor locks (think weak passwords); leave doors open (think unpatched vulnerabilities); or unwittingly give them the keys (think phishing scam).
Protecting critical infrastructure presents some unique challenges. For instance, Industrial Control Systems (ICS), which govern the operation of large industrial plants, cannot be actively scanned for vulnerabilities the way a virtual-only Information Technology (IT) environment can be scanned because such scans can knock the industrial systems offline, grinding operation of a major plant to a halt.
The overarching category for these types of systems is Operational Technology (OT). OT systems, many of which pre-date the internet, have historically been standalone, “air gapped” systems, which minimized their vulnerability to cyber threats. In today’s connected world, however, that is quickly becoming the exception rather than the rule.
Adapting cyber defenses to protect these systems requires a different approach. Tenable is addressing these challenges by leveraging its passive monitoring capabilities to deliver a solution that enables safe monitoring of OT assets in a converged IT-OT environment.
Enhancing resilience of critical infrastructure
To be resilient, in the parlance of the iconic Timex watch ads, is “to take a licking and keep on ticking.”
As more formally defined in Presidential Policy Directive 21, the governing federal critical infrastructure protection authority, resilience is “the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions.” In cyber-centric environments, resilience builds on security to round out a comprehensive cyber defense program that addresses all phases of preparation and implements steps to prepare for, and respond to, any cyber threats.
To guide organizations in developing and implementing effective, comprehensive critical infrastructure protection programs, the National Institute of Standards and Technology (NIST) has published the Cybersecurity Framework. According to NIST, a “prioritized, flexible and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.”
DHS offers an additional resilience-focused resource, the Cyber Resilience Review (CRR). This free resource can provide insight into an organization’s cyber resilience status and recommend areas for improvement. It includes a “NIST Framework crosswalk” feature to guide alignment and ensure comprehensive program implementation. A fact sheet is available with instructions for conducting a CRR and requesting DHS CRR support.
Learn more:
- Download the report: Cybersecurity in Operational Technology: 7 Insights You Need to Know
- Visit Tenable's IT/OT Convergence web page: https://www.tenable.com/solutions/it-ot
- Download the data sheet: Tenable Industrial Security