As citizens, most of us take for granted that electricity will make our lights glow the moment we flip a switch, that fresh drinking water will be available the moment we turn a faucet handle, and that medications will be immediately available after a quick swipe of a card. The availability of these and countless other processes are dependent upon securing the data and systems that manage the operation of critical infrastructure.
Behind the scenes, the operational technology (OT) and information technology (IT) teams within the critical infrastructure community have been challenged with keeping pace with rapidly evolving technology trends while keeping ahead of sophisticated security risks and threats. The interconnectivity of devices (Internet of Things), mobility, cloud, and other disruptive IT trends offer tremendous opportunities for productivity gains and cost reductions – which are very much sought after and wanted. However, with increasing interconnectivity in the critical infrastructure environment, IT is bleeding further into OT and, as it does, vulnerabilities are following. In fact, a Ponemon research initiative this year on cybersecurity protection of critical infrastructure systems and controls highlighted concern over cybersecurity preparedness.
In response to escalating cyber threats targeting critical infrastructure operations, governments have established guidelines, such as the Cybersecurity Framework in the U.S. While such guidelines are voluntary, there are standards and regulations such as the Critical Infrastructure Protection regulations that are required. Regulatory compliance is a major driver of change for critical infrastructure executives – and it’s difficult to keep up. According to Gartner’s Earl Perkins, regulatory standards updates are released faster than enterprises can implement them, resulting in planning confusion and decision uncertainty for affected industries. By 2016, less than 33% of utilities worldwide will be in compliance with nationally recognized regulatory standards for security. And since regulatory compliance might be regarded as the minimum acceptable standard for cybersecurity, what is this really saying about the vulnerability of one-third of the world’s utilities within the next one to two years?
While there are some signs pointing to “dangerous cyber roads ahead,” here are three tips to help critical infrastructure organizations successfully navigate them:
As I turn the lights off tonight, I’ll think again and acknowledge all of the great work being done behind the security of critical infrastructure, thankful that I can count on the availability of even the most basic resources.
U.S. National Cyber Security Awareness Month Blog Series:
Week 3: 3 Tips for Critical Infrastructure Protection