Critical Infrastructure Security
The United States Department of Homeland Security identifies 16 critical infrastructure sectors whose assets, systems and networks—whether physical or virtual—are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on national security, economic security, public health and safety, or any combination thereof.
When attacking critical infrastructure, cyber criminals often find themselves in an environment slightly different than traditional information technology (IT) networks, particularly as it pertains to security. Traditional IT network security concerns itself with the three primary pillars: confidentiality, integrity and availability. Operational technology (OT) drives the industrial control systems allowing for product delivery in the energy, manufacturing, shipping and other transportation sectors. Because of consumer demands and low inter-operability between components and infrastructure not receptive to patches and updates, OT systems often favor availability over security. Thus, OT networks are especially vulnerable once penetration of the firewall is accomplished.
The attack surface of critical infrastructure cyber systems has morphed and continues its evolution. However, many of the same defenses apply, and integration of OT-specific security measures can further strengthen the protection of critical assets. The following should be considered when protecting OT assets in a critical infrastructure environment:
- Threats and risks in a changing environment: Identify and protect your most vital assets through hardening of defenses. Threats to critical infrastructure continue to increase, and breaches may result in catastrophic risk to national security, economic vitality, public health and global safety.
- Cyber security basics: Develop and execute a robust training and awareness program emphasizing strong password management, use of multi-factor authentication, and defenses against phishing and social engineering tactics.
- Security posture of IT and OT systems: To the largest extent possible, immediately apply critical security patches in the IT environment. Segmentation of IT and OT environments is crucial, particularly when OT components are connected and not secured with updates and patches, either by schedule or design limitation.
Critical infrastructure in the US is 85 percent privately owned. However, because of national security and stability concerns, its protection and control must be addressed in a unified and collaborative partnership between public and private entities. Recognizing the need for a coordinated effort to protect these sectors, President Obama in February 2013 signed Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity,” and Presidential Policy Directive 21, “Critical Infrastructure Security and Resilience.” To further promulgate policy and promote public/private collaboration on security matters, President Trump on May 11, 2017 signed EO 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” To ensure the sustainment of our nation’s critical infrastructure, continued collaboration between public and private stakeholders is essential to identifying threats and mitigating risk.