Critical infrastructure cybersecurity insights
- Critical infrastructure is very important to society and maintaining the basic needs of human life in modern times.
- Because of this, there is a need for critical infrastructure cybersecurity to protect it from threat actors — both foreign and domestic.
- Some of the keys to a successful cybersecurity setup are to not settle for limited OT security, approach protection from an OT state of mind, strive for IT/OT convergence, and think global and act local.
Critical infrastructure is those physical and digital systems that provide the essential services for a country’s economy, therefore the disruption of these systems would create significant economic or public health and safety risk. Critical infrastructure cybersecurity includes the protection of those digital systems from potential cyber-related attacks.
These critical infrastructure sectors include assets owned by government entities as well as those owned by the private sector. Consider the commercial facilities sector: in the United States, federal, state and local governments own and manage a large number of commercial facilities, as does the private sector. In fact, in many sectors, such as Energy or Financial Services, government and private sector assets intermingle and a disruption to one side of this integrated system can impact the other.
In addition, many of these sectors include not only informational technology (IT) systems but also operation technology (OT)/Internet of things (IoT)/industrial control systems (ICS)/industrial internet of things (IIoT) and other “cyber-physical” systems that control not just data but physical processes. Gartner defines “cyber-physical systems” as “engineered systems that orchestrate sensing, computation, control, networking and analytics to interact with the physical world (including humans).” When secure, they enable safe, real-time, reliable, resilient and adaptable performance. By using the broader term, Gartner encourages security and risk leaders to think beyond IT security and develop security programs encompassing the entire spectrum of cyber-physical risk.”
Therefore, as we consider the cybersecurity of these sectors, these three factors guide the approach.
Critical to life safety and economic security
The 16 sectors identified by the United States government as critical infrastructure are those “that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.” Some of these are obvious — the Nuclear sector, for instance — some less so, such as Commercial Facilities. A critical element of these sectors is their interdependencies that could create knock-on effects if one is attacked. For instance, the Energy sector is fundamental to the operation of Water, Transportation, Financial Services, etc. Similarly, the Communications sector enables Power, Financial Services, etc. These interdependencies make the cybersecurity of these systems even more challenging and unique.
Cybersecurity in all industries is essential but protecting these 16 is a national security priority. As a result, the U.S. (and other countries’) government has created organizations, partnerships, requirements, etc., to encourage, support and monitor the cybersecurity effectiveness of operators of these sectors. What does this mean for asset operators?
- They need to have their “shields up” as they are heavily targeted by attackers. Because an outage of this infrastructure is so impactful, the risks from ransomware or nation-state attack are more significant than in many other industries. Leaders must recognize their unique place in the target landscape and be even more diligent.
- They need to fulfill a set of regulatory requirements beyond that of other sectors. For instance, as of 2022, the U.S. government, through the action of President Biden, enacted the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This law required, among other things, that the Cybersecurity and Infrastructure Security Agency (CISA) implement regulations requiring operators of these 16 sectors to report specific covered cyber incidents or ransomware payments. This is a significant change to current practices in an effort to create more transparency and information sharing among the sectors. In addition to reporting incidents, governments have required assessments, cyber action plans, specific prescriptive security measures, etc.
- For some sectors, the level of regulation is increasing rapidly. For instance, the Colonial Pipeline attack increased the attention of regulators on the risks to the globe’s energy pipeline infrastructure. In the United States, this has meant a set of new regulations, managed by the Transportation Security Administration (TSA), requiring a set of cybersecurity practices.
- The critical infrastructure industries can receive support from government agencies as well as public-private partnerships to assist in their cybersecurity efforts. For instance, CISA offers complementary cybersecurity assessments for many sector participants. The agency also maintains a list of vulnerabilities with the most significant exploitation allowing sector participants to focus their remediation efforts. It provides alerts and content on potential emerging threats as well. Taking advantage of these services is a crucial advantage of being a sector participant.
In summary, the bar for cybersecurity of these sectors is increasing – both because of the increasing threats but also the requirements of governments as to what these sectors need to do to ensure they are protected. Operators need to raise the bar on their cybersecurity efforts. Cyber threats are increasing and there is significant potential impact on the operator and the economy as a whole.
A mix of government and private sector assets
These sectors are not limited to only government or private sector operators. For instance, the Transportation sector includes regional organizations such as MARTA, CTA or other regional public transit agencies. It includes FedEx, airlines, railroads, trucking and many other private-sector enterprises. And perhaps most importantly, many of these have interdependencies between the government and private sector. For instance, a cyber attack on a federally-owned electric utility can impact the private sector power grids operating in that region. A cyber attack on key members of the Defense Industrial Base (the 300,000 small manufacturers that make critical components for the US military) can bridge to the Department of Defense operations.
This reinforces the potential impact of a cyber attack and highlights the need for these groups to work together — or at least rely on each other’s actions — for defense.
As a private sector operator, there are several key takeaways:
- Even as a small company, you are both a potential target and a key player in protecting the country’s economy. Small gas pipeline operators’ systems may connect to broader billing systems or SCADA systems, meaning that attacks can spread. Small defense contractors who supply critical components may be attacked as a means of accessing larger contractors or, eventually, defense operations.
- Threat intelligence from government entities in your sector can provide insights for your protection.
- Regulations will require a greater level of cybersecurity because of this potential interconnection between the public and private systems.
As a public sector operator, there are similar and additional takeaways:
- The private sector participants (even small ones who may not have the resources necessary to provide sufficient cyber protection) can directly impact the cybersecurity of your operations. This means that supply chain cyber requirements and monitoring are critical elements of the overall protection program.
- Participating in private sector information and protection-sharing sessions can add value to your security practices.
- Public sector cyber teams will need to compete for talent with the private sector in their arenas. The data on the shortage of cyber talent is clear. Solving the challenge of government agencies attracting and retaining cyber talent will be a key enabler of overall critical infrastructure protection.
Presence of “cyber-physical systems” in critical infrastructure cybersecurity
The third factor driving the approach to cybersecurity in these critical infrastructure sectors is the presence of cyber systems that interact with physical processes and operations. The term, coined by Helen Gill at the National Science Foundation in 2006, according to the University of California at Berkeley, means:
“embedded computers and networks (that) monitor and control the physical processes, usually with feedback loops where physical processes affect computations and vice versa. As an intellectual challenge, CPS is about the intersection, not the union, of the physical and the cyber. It is not sufficient to separately understand the physical and computational components. We must instead understand their interaction. Therefore, the design of such systems requires understanding the joint dynamics of computers, software, networks and physical processes. It is this study of joint dynamics that sets this discipline apart.”
Gartner recently began to use the term related to cybersecurity to aggregate a group of related devices and networks to bring some order to a very complex “acronym salad.”
- Industrial Control Systems (ICS): the computers that control manufacturing, power generation and transmission, etc.
- Operational Technology: a catch-all term that could include ICS, building controls, medical devices, etc.
- IoT: Internet of Things (also IIoT, Industrial IoT) refers to networks of stand-alone productive devices connected to the internet (or an intranet). This could be “consumer-oriented,” such as smart speakers, refrigerators or industrial such as smart meters or controllers.
- Connected Medical devices: this includes both hospital-based devices such as MRI machines, infusion pumps, etc., as well as remote devices such as pacemakers and insulin pumps.
- Smart cities/Industry 4.0: includes distributed generation, remote control of industrial and municipal systems, etc.
These critical infrastructure sectors all contain various elements of the above systems.
What does this mean for the cybersecurity of these sectors?
- Cyber-Physical Systems require different approaches to cybersecurity than traditional IT systems. These devices and systems differ in many ways from their IT brethren:
- Legacy devices 15, 20, 30 or 40 years old running out-of-date operating systems
- 70%+ of these devices are embedded operating systems where traditional IT security tools offer limited protection — sensitive devices which may become inoperative if you run traditional IT security scans
- Require 99% or similar uptime, thereby making traditional patch processes or other systems management challenging
- Complex and limited bandwidth networks which often limit the feasibility of modern IT security tools that rely on cloud or other broad connectivity
- These systems require different skill sets. In survey after survey, the number one challenge to securing these types of systems is finding sufficient knowledgeable resources. Critical infrastructure operators struggle to find talent that understands the ins and outs of the physical control systems as well as the required cybersecurity elements.
- Any cyber-attack can have physical impact. Historically, cyber threats are seen as threats to our data or privacy. In these critical infrastructure sectors, cyber threats can impact the physical operations of the participants — power or oil or other provision of physical goods can be cut off, changes to physical processes can create safety hazards, disruptions to processes can create ecological issues, etc. This means that the potential implications of cyber attacks need to consider different types of impacts.
- IT and “OT” or Cyber-physical cybersecurity need to work together – dare we say, converge. To date, the cyber attacks on cyber-physical systems have all had their source originally in the IT systems of the operator. Phishing, stolen credentials, etc., compromise IT systems. Attackers then pivot to move across the IT-OT boundary to breach the cyber-physical systems. Once there, because these systems are usually not well-protected, the attack can spread quickly across the cyber-physical system. Or, even without spreading to the cyber-physical system, the IT attack can force the operator to shut down the physical operations to prevent the spread of an attack which is what happened in the Colonial Pipeline incident.
How does an operator conduct effective cybersecurity in critical infrastructure?
Given the above unique challenges of cybersecurity for critical infrastructure, how does the Chief Information Security Officer or the person responsible for cybersecurity at the operator succeed?
For the past 30 years, Verve has worked with critical infrastructure operators to support them in achieving greater levels of cybersecurity on these cyber-physical systems.
4 key learnings from experience working in critical infrastructure cybersecurity:
1. Do not settle for limited “OT” security just because these systems are different.
Demand that you apply the same rigor of IT cybersecurity to these cyber-physical systems.
This goes against much of what the CISO or IT security leaders will hear from their OT colleagues, the ICS OEM vendors and perhaps some OT security vendors. The standard refrain is these cyber-physical systems, especially those that directly control industrial processes, are too sensitive, old, critical, etc., to adopt similar approaches that one would take to IT devices.
Although we agree with the perspective on the uniqueness of these devices and networks, we have found that CISOs can achieve IT-like security in OT (or cyber-physical systems) by applying OT-specific toolsets with the same standards and philosophy as applied to IT security.
For 30 years, Verve has deployed our OT/CPS-specific platform to apply IT-level security controls to those systems. We call this “OTSM” or OT Security Management, similar to the Security Management approach that’s been in place for 20 years in IT. This includes comprehensive inventory based on direct access to endpoints, robust patch management, detailed vulnerability identification (not relying just on network traffic analysis), endpoint detection and response, hardened configuration, etc.
Verve often works with CISOs who have struggled with operational teams pushing back against the application of security to these systems, offering a variety of rationales — from a lack of need because the networks are “air-gapped” to inability due to operational requirements to organizational capacity limitations, etc. We have found that successful CISOs do not settle. They work through these challenges with the confidence of knowing that others have succeeded in applying these controls.
Perhaps most fundamentally, this comes down to the ability to apply endpoint security. Cyber-physical security often stops at the network — network intrusion detection or firewalls and other hardware-based solutions. The reality is that endpoint protection is possible, practical and proactive in defending cyber-physical systems.
2. Organizations must recognize that the approaches to achieving endpoint security is different in cyber-physical than in IT.
Point #1 should not be read to say that cyber-physical systems do not require unique approaches to security. Legacy, embedded, sensitive devices and networks require an OT-specific approach. Vulnerability scanning, automated patching (what we call spray-and-pray), WMI calls, etc., can all cause significant disruption to operations in the pursuit of security.
3. “Converge” the IT and cyber-physical security efforts to ensure alignment and efficiency.
This recommendation is for both the security team as well as the operations team. It is critical to protect the cyber-physical systems and ensure ongoing operational resilience so that these two organizations — who may not regularly interact — work together to find common solutions to security challenges. The example of the Colonial Pipeline is relevant here. The incident that caused the outage was actually an IT incident, but because of the potential for the attack to spread into the operational systems, they were shut down. Close coordination between the two sides may have avoided that.
We have seen a variety of successful approaches to this “convergence.” Some organizations have assigned senior cyber-physical system leaders to the cybersecurity leadership team across IT and OT. Others have created a top-down objective aligned between the IT and OT teams to ensure common metrics and milestones. Still, others have created balanced scorecards where cybersecurity becomes an equal element of performance as they did with safety over the past 30 years.
Success often requires both sides to learn to trust the other. There is usually a history of mistrust due to “IT causing operations disruption” or the “operations teams going their own way.” Breaking down these barriers of mistrust is vital to making progress in cyber-physical cybersecurity.
4. “Think Global but Act Local.”
As mentioned above, the largest barrier to successful cyber-physical cybersecurity is the lack of knowledgeable resources. One of the reasons for this is that cybersecurity is often “stuck” at the plant or facility level. Operations teams are rightfully nervous that IT would centrally manage the security of its systems. All of them (and us) have countless examples of IT impacting operations by applying security or other changes to systems without operator consent or awareness — patches on running HMIs, network device rule changes, updates to anti-virus, changes to configurations, etc. In addition, many of the security tools in place today are “stuck” at the plant or facility as well. CISOs often don’t even have visibility if they want to.
In our experience, the way to solve this challenge is what we call “Think Global, Act Local.” This means aggregating all of the asset, user, software, network and other risk and threat data into a common enterprise database where a small group of skilled resources can “think globally” — i.e., analyze data across plants or facilities to identify the greatest risks and to develop playbooks of how to remediate or respond. Our clients have found this central enterprise database reduces labor costs and resources by up to 70% versus their traditional site or facility-level approach.
“Think Global” without “Act Local,” however, is a recipe for operational disaster. “Act Local” means that while the playbooks and analysis are central, when remediating or response actions are taken, those with knowledge of the control systems are engaged and approve those actions based on the proper operations of the process. This is the key to cyber-physical security. These “physical” systems cannot easily be rebooted, stopped at the wrong time or updated with new firmware or software without knock-on effects. Therefore, any cybersecurity management software needs to enable this operational control over actions — what we call “Act Local.”
Critical infrastructure cybersecurity differs from traditional cybersecurity and, therefore, requires a different approach by public and private sector entities. One of the key differences is the significant presence of “cyber-physical systems,” — i.e., those where digital systems control physical outputs. Organizations in these critical sectors need to adapt their cyber postures, given the greater risks and challenges associated with these complex environments.