3 Ways to Protect Your Critical Infrastructure
3 Ways to Protect Your Critical Infrastructure
By Jim Pruden, Senior Director Federal Civilian, Cloudera
An electrical fire at Hartsfield-Jackson Atlanta International Airport in December 2017 left America’s busiest airport without power for nearly 11 hours, delaying thousands of passengers during the busy holiday travel season. While the outage was not linked to a malicious actor, the event demonstrates how devastating an attack can be, and the impact could be much worse than a slew of frustrated travelers if the scenario arose from a targeted attack on more critical infrastructure.
The Department of Homeland Security (DHS) has designated 16 critical infrastructure sectors in the United States, including energy, communications, financial services and food and agriculture. These 16 industries are “considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic stability, national public health or safety, or any combination thereof.”
Although it’s true that many critical infrastructure sectors are primarily owned and operated by the private sector, such as energy and commercial facilities, the role of government should not be neglected when evaluating how best to protect these industries from attack. It can seem like a daunting task to account for and defend against all threats, from a physical terrorist attack to a targeted cyber strike to a natural disaster. But given the rising prevalence of cybersecurity threats, there are some precautionary measures that government agencies should keep in mind.
- Stay current on federal recommendations -- Securing our critical infrastructure requires coordinated efforts from state, local, and federal governments as well as the private sector. But it is the federal government that is tasked with issuing standards and best practices on the most effective approach. Managed by DHS, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) is an annual report that offers a recap of the health of the nation’s critical infrastructure to reduce risks. Private sector organizations operating within a designated critical infrastructure sector can request an assessment from DHS against a number of cybersecurity standards. Assessing the current state of readiness is the first step to implementing an effective cybersecurity plan.
- Be aware of the weaker lines between OT and IT--Operational Technology (OT) is a system that monitors and controls physical devices and processes, such as how much electricity is generated through transmission lines. Traditionally, these functions were run on manual equipment physically operated by a human, but as the Internet of Things (IoT) has grown and operations are streamlined, many OT devices are now equipped with IP addresses to enable remote access and control. This transition means that OT and IT networks are becoming more closely connected, and so security standards must catch up to ensure proper barriers between the networks. Such measures include improved access control and encryption, which help prevent hackers from gaining access to the IT network and quickly taking control of the OT, which could lead to the disruption or even ransom of essential services like electricity and water.
- Adapt security standards as IT landscape evolves--Private and public sector organizations alike are moving toward more digital business models that rely on the latest technological trends. From the growth of IoT to moving into public clouds and BYOD policies, IT operations and security must adapt to keep pace with the newest advancements. But this shift doesn’t mean that agencies and private sector organizations have to reinvent the wheel. Although attacks on critical infrastructure are highly targeted and can have dire consequences, they are nevertheless typically the same types of cyber attacks that have hit other industries already, from phishing and malware to ransomware, and can be mitigated with the same best practices already in place. And there are many new or improving technologies assisting organizations in the protection of critical infrastructure assets, like voice and video analytics that provide a number of capabilities, including crowd control, gauging expected motions, and identifying objects and individuals whether stationary or in motion.
Critical infrastructure protection is essential to the security of the United States. The 16 critical infrastructure sectors occupy a unique position of having such a designation via a federal agency, yet most of the operations are owned and operated by private businesses. Thus, information sharing and collaboration between the public and private sectors are vital to securing our nation’s critical infrastructure.