3 Tips for Critical Infrastructure Protection
Author(s): Stephen McCarney, Posted on October 15th, 2014
As citizens, most of us take for granted that electricity will make our lights glow the moment we flip a switch, that fresh drinking water will be available the moment we turn a faucet handle, and that medications will be immediately available after a quick swipe of a card. The availability of these and countless other processes are dependent upon securing the data and systems that manage the operation of critical infrastructure.
Behind the scenes, the operational technology (OT) and information technology (IT) teams within the critical infrastructure community have been challenged with keeping pace with rapidly evolving technology trends while keeping ahead of sophisticated security risks and threats. The interconnectivity of devices (Internet of Things), mobility, cloud, and other disruptive IT trends offer tremendous opportunities for productivity gains and cost reductions – which are very much sought after and wanted. However, with increasing interconnectivity in the critical infrastructure environment, IT is bleeding further into OT and, as it does, vulnerabilities are following. In fact, a Ponemon research initiative this year on cybersecurity protection of critical infrastructure systems and controls highlighted concern over cybersecurity preparedness.
In response to escalating cyber threats targeting critical infrastructure operations, governments have established guidelines, such as the Cybersecurity Framework in the U.S. While such guidelines are voluntary, there are standards and regulations such as the Critical Infrastructure Protection regulations that are required. Regulatory compliance is a major driver of change for critical infrastructure executives – and it’s difficult to keep up. According to Gartner’s Earl Perkins, regulatory standards updates are released faster than enterprises can implement them, resulting in planning confusion and decision uncertainty for affected industries. By 2016, less than 33% of utilities worldwide will be in compliance with nationally recognized regulatory standards for security. And since regulatory compliance might be regarded as the minimum acceptable standard for cybersecurity, what is this really saying about the vulnerability of one-third of the world’s utilities within the next one to two years?
While there are some signs pointing to “dangerous cyber roads ahead,” here are three tips to help critical infrastructure organizations successfully navigate them:
- “Prevent” should be your top cybersecurity priority. New attack vectors will always continue to evolve – for example, even air-gap solutions appear to not be immune from malware. While responding and reporting cyber-attacks is important, for critical infrastructure organizations that must maintain 100% availability and continuity of operations, preventing breaches and compromises is essential. One thing that can be considered is to conceal endpoints and sensitive data-in-motion to help improve your defense-in-depth cybersecurity strategy. Removing your most highly sought-after cyber assets from the cross-hairs of malicious insiders and external cybercriminals is needed. Otherwise, you will find yourself on a continuous treadmill that is increasing in speed, making it more and more difficult to keep up.
- Connect with caution. Insider threats are one of the top risks facing critical infrastructure executives. And supply chain partners also pose a significant risk to your data, IP, and systems. But only if they have footholds into your organization. The Internet of Things is exciting and it’s full of potential. But a 360-degree assessment of who and what may have access to your crown jewels is essential to improving protection. Then, with innovative technologies, you can segment your data center to create isolated communities of trust to allow users to access or even see data and systems only they are permitted to accessing – and you can do this without physically isolating everything.
- Lead the cybersecurity transformation, don’t wait for it. Regulatory requirements are driving much-needed change in critical infrastructure protection. But there is more that can be done – beyond compliance — to improve your cybersecurity posture. Evaluate cybersecurity technologies that are very agile – they will not only help you to more easily meet rapidly evolving regulatory requirements, but they should also help you decrease risk and reduce costs all at the same time.
As I turn the lights off tonight, I’ll think again and acknowledge all of the great work being done behind the security of critical infrastructure, thankful that I can count on the availability of even the most basic resources.
U.S. National Cyber Security Awareness Month Blog Series:
Week 3: 3 Tips for Critical Infrastructure Protection