Building a Robust Cybersecurity Strategy for Critical Infrastructure
Building a Robust Cybersecurity Strategy for Critical Infrastructure
Key takeaways:
- Protecting critical infrastructure remains a top priority, yet many organizations are still behind in cyber‑defense readiness.
- COVID‑19 has expanded the definition of “critical” to include sectors like PPE manufacturing, logistics, and food processing, prompting a reassessment of essential systems.
- Organizations must shift from reactive measures to a proactive cybersecurity posture, especially amid rising cyber‑threats and increased remote operations.
Public concern over cyber‑attacks on the electrical grid, dams, voting systems, and other federally designated infrastructure is growing. Yet, as Deloitte’s Sean Peasley notes, most operational‑technology (OT) firms still maintain only nascent cybersecurity programs.
Historically, “critical infrastructure” referred to public works such as transportation and utilities. Over the past decades, the scope has broadened to encompass health care, energy, manufacturing, and more. Kieran Norton of Deloitte highlights that the pandemic has revealed even greater breadth, with PPE makers, logistics firms, pulp & paper, and meat‑packing now recognized as essential.
While many OT organizations boast decades of experience in traditional risk management, cybersecurity is a relatively new focus. Andrew Howard, CEO of Kudelski Security, observes that OT security typically lags IT by 10–15 years.
According to IBM’s X‑Force Threat Intelligence Index 2020, attacks on industrial control systems surged in 2019, surpassing the combined volume of the previous three years. High‑profile incidents include ransomware on Honda, Taiwan’s energy utility, a U.S. natural‑gas facility, Israel’s water supply, and NTT’s internal network breach.
Risk Assessment: An Ongoing Imperative
Without measurable risk, improvement stalls. Many critical infrastructure entities struggle to maintain an accurate asset inventory due to diverse, complex environments and a shortage of OT cybersecurity specialists.
Initial risk assessments should quantify threats, vulnerabilities, and potential consequences, focusing on shared passwords, unpatched systems, third‑party hardware/software, and permissive firewalls. Such assessments can uncover extensive remediation lists, requiring prioritization based on severity and ease of fix.
Active network scanning can destabilize control systems, so a cautious, collaborative approach with operations is essential. Passive monitoring offers less intrusion but may miss critical insights. The debate reflects a clash between IT’s preference for active scanning and OT’s risk‑averse stance.
Remediation prioritization should weigh both risk severity and remediation effort. As Miklovic notes, boundary interfaces—protocol or physical—often represent the weakest link, with USB drives a common breach point. While quick fixes (e.g., sealing USB ports) are important, a balanced risk‑based approach is more effective.
Joe Saunders of RunSafe recommends a 2×2 matrix to evaluate vulnerability likelihood versus impact severity, enabling a nuanced risk profile for each system.
New Risks in the New Normal
The pandemic has accelerated remote work, complicating security for production systems. Employees now use VPNs to modify production controls from home, a practice previously uncommon. Third‑party vendors may also receive remote access, raising additional exposure.
Bandwidth, scaling, and deployment challenges often accompany increased remote connectivity. Simultaneously, traditional contingency plans that rely on physical presence and manual processes are now less reliable.
To adapt, critical infrastructure organizations should consider a holistic redesign of technology architecture, embedding security controls closer to assets.
Moving Toward Proactive Cybersecurity
The goal is to replace incremental, manual processes with a proactive posture that anticipates threats and adapts continuously.
Key components of a robust security policy include:
- Equipment & Devices – secure legacy industrial controllers, IoT sensors, gateways, and corporate laptops. Understanding device context is essential.
- Networks & Users – enforce strict access controls, deploy dynamic policy engines, and invest in breach detection.
- Data – classify and discover data to determine appropriate protection levels.
- Workflows & Supply Chain – secure processes, enforce contractor compliance, and protect against supply‑chain attacks.
- Software Development – embed security throughout the SDLC to ensure resilient deployments.
Balancing prevention, detection, and response is crucial. Matt Selheimer of PAS Global recommends allocating 50 % of effort to prevention and 50 % to detection and recovery. Norton emphasizes that response capabilities are as vital as preventive controls.
Frameworks and Maturity Models
Organizations can align with established frameworks such as ISO 27002, ISA/IEC 62443, and the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC). CMMC provides a five‑tier maturity model, from basic hygiene (Level 1) to advanced optimization (Level 5). The model’s requirement for third‑party audits promotes objectivity and accountability.
| CMMC Level | Focus | Key Practices |
|---|---|---|
| Level 1 | Basic cyber hygiene (performed) | Selected practices documented where required |
| Level 2 | Intermediate cyber hygiene (documented) | All practices documented; policies exist for all activities |
| Level 3 | Good cyber hygiene (managed) | Cyber plan operationalized across all activities |
| Level 4 | Proactive (reviewed) | All cyber activities reviewed, measured, and shared with management |
| Level 5 | Advanced progressive (optimizing) | Standardized documentation across the organization |
Automation and Embedded Security
Machine‑learning–driven monitoring can automate routine tasks like breach detection. Embedded security on resource‑constrained devices offers intrinsic protection and asset visibility.
However, premature automation without a solid policy can generate false positives. As Selheimer notes, fine‑tuning firewall rules and SIEM correlation is essential to reduce noise.
Due to the unique landscape of critical infrastructure, off‑the‑shelf automation may require customization. Norton suggests isolating sensitive systems and applying orchestration to bridge automation gaps.
Ultimately, threats will evolve rapidly. Staying proactive means continuously adjusting the cyber‑posture to reflect emerging risks and industry trends.
For more industry insights, register for IoT World’s virtual event on August 11‑13, featuring IoT, AI, 5G, and edge solutions across verticals. Register today.
Internet of Things Technology
- Securing Critical Infrastructure Through Advanced Application Performance Monitoring
- Key Questions Banks Must Ask When Building a Future‑Proof Card, Mobile, and IoT Payments Infrastructure
- Urgent Action Needed: Protecting IoT in Critical National Infrastructure
- 14 Critical Vulnerabilities in NicheStack TCP/IP Stack Expose OT Devices to Remote Attacks
- Cybersecurity: A Strategic Imperative for Modern Manufacturers
- Why the Human Factor is Essential to Cybersecurity Success
- Building Regional Micro‑Fulfillment Systems to Strengthen Brand Strategy
- Mastering Holiday E‑Commerce: A Proven Strategy to Overcome Inventory Chaos and Boost Sales
- Claroty’s Cybersecurity: Why Industrial Supply Chains Demand Even Greater Protection Than Data Security
- Building a Strategic Asset Management Plan for Optimal Asset Performance