While most resilience professionals are focusing on how to protect their organizations’ information technology (IT) infrastructures, a reminder on how important critical infrastructures are to the nation is timely.

Considering the impact cybersecurity attacks have made to private and public sector organizations over the past decade, it is important to remember that the nation’s many different critical infrastructures (CI) are just as susceptible to cyberattacks. This article will provide useful guidance on protecting the many different critical national infrastructures on which the country depends.

Eighteen (18) specific sectors of critical national infrastructure have been identified, as shown in Table 1[1].

Each of these sectors depends on uninterrupted information technology (IT) systems and services, especially access to the Internet.  Cyber threats that are often associated with financial institutions (malware, viruses, phishing, DDOS attacks, ransomware, theft, vandalism) are just as likely to affect organizations in each sector in Table 1.

Guidance for Addressing CI Cyber Threats

Is it advisable to have cybersecurity strategies within each CI sector?  The answer, of course, is yes, and the following paragraphs will provide guidance in addressing CI cyber threats.  Each CI sector uses a variety of information systems and specialized devices that are potential victims of a cyberattack. From a cybersecurity perspective, these critical systems must be able to perform the following:

• Deploy highly secure network perimeters that prevent unauthorized access to critical systems and data, e.g., using firewalls and intrusion detection/prevention systems
• Deploy systems and technologies that alert, identify, analyze, block, quarantine and eliminate malware and other attack vectors, e.g., ransomware and anti-malware software
• Deploy access mechanisms to prevent unauthorized individuals from logging into critical systems, data and databases, e.g., two-factor or multi-factor authentication
• Deploy incident response and management protocols and procedures to launch a rapid response to potential cyberattacks
• Develop and deploy plans and procedures that specify what is to occur when a cyber breach event occurs
• Deploy backup arrangements to minimize potential downtime when a cyberattack occurs; these can include backup hardware devices; primary and secondary data storage (e.g., cloud storage); backup power systems to keep systems operating; backup copies of critical applications; and alternate network arrangements, e.g., alternate Internet service providers and alternate routing from local telephone company offices

The above criteria are essential for dealing with cyberattacks, and they should be supplemented by the following activities:

Cybersecurity Program Development

As part of the program aspect of CI cybersecurity, it is essential to thoroughly assess the critical infrastructure elements and resources through the following actions:

• Review and confirm with senior management as to the most mission-critical elements needed by the infrastructure organization
• Secure senior management support for a cybersecurity initiative
• Conduct a risk analysis to identify which systems are at the greatest risk, identify the most serious threats and their likelihood of occurring, and identify vulnerabilities such as single points of failure (SPOF) that can be exploited
• Perform a business impact analysis (BIA) to identify what could happen to the organization (and the local area, region and the nation) if one or more critical infrastructure elements were compromised

Once the above activities have been completed (or updated, if previous assessments have been performed), the following are next steps for developing a cyber threat program.

• Cybersecurity Policy – Development of a formal policy for cyber threats is an important administrative activity, as it sets forth what constitutes a threat, its potential impact to the organization, and how the organization responds
• Cyberattack Analysis Process – This set of steps to analyze an attack can be part of a policy but may be better as a standalone activity, along with steps to capture the anomaly, quarantine it, and eliminate it
• Cybersecurity Awareness – Such a program educates employees on cyber threats, how the organization plans to address them, and how they can minimize the likelihood of becoming an attack victim
• Cybersecurity Training – Often aligned with awareness activities, training programs ensure that employees and cybersecurity teams will know how to identify an attack, report on the event, and (for technical staff) keep current on all aspects of cyberattacks and technologies used to respond to them
• Cybersecurity Communications to Management – Considering the potential impact of a cyberattack, establish a line of communications to senior leadership keeping them informed of an attack
• Compliance with Relevant Standards and Regulations – It may be necessary to demonstrate compliance with one or more standards and legislation that address cybersecurity
• Continuous Improvement – Beyond establishing a cybersecurity program for critical infrastructure elements, ensure that the program is regularly reviewed, updated and improved

One the program has been developed an approved, it should be reviewed and tested to ensure its policies and procedures are consistent with good cybersecurity threat management practices.  Document the program thoroughly and establish a periodic review cycle to keep it current.

Ongoing Cybersecurity Operations

The following are among the daily ongoing activities that are essential for identifying attacks, managing and mitigating them, and providing ongoing diligence monitoring the threat landscape.

• Continuous Monitoring – As the cyber threat landscape is constantly evolving, proper due diligence states that ongoing monitoring of systems and networks ensures that any breach can be addressed quickly, minimizing potential damage
• Alert Management – Most cybersecurity systems provide alerts when suspicious code is detected; these should notify members of the cybersecurity team as well as provide visual and audible alerts on a dashboard
• Emergency Notification – If it is necessary to alert company employees, senior management and other stakeholders of the attack, a system for rapid notification should be available
• Procedures for Responding to an Attack – Detailed step-by-step procedures should be documented and available to response team members when an event occurs; these include activating alternate systems and backup resources to facilitate the recovery of affected systems and data
• Post-Event Activities – Once an attack has been mitigated and affected systems and resources recovered and returned to normal operations, perform a post-event review that identifies what worked and what did not, and update policies and procedures, as well as systems and technologies, based on lessons learned from the attack
• Test Cybersecurity Procedures and Systems – Periodic (at least twice annually) exercises of cyberattack response procedures and systems are recommended to ensure that all response team members are prepared to handle an attack

Summary

Cybersecurity management for critical infrastructure organizations is an essential part of daily operations.  The CI sectors listed in Table 1 have IT infrastructures with both traditional and specialized system.  Guidance in this article notes the unique technology systems and requirements of the various CI sectors and is applicable across all sectors.  Each system is a potential attack victim, and must have the appropriate cybersecurity resources, including plans, procedures, policies, teams and operational activities available when responding to an event.

# # # #

[1] Cybersecurity – Continued Attention Needed to Protect Our Nation’s Critical Infrastructure, U.S. Government Accountability Office Report, July 26, 2011, pages 3-4