The cybersecurity of the United States and other free nations’ critical infrastructure is growing in importance as both public and private sector partners face evolving cyber threats. In addition to public-sector organizations, chemical companies, communications providers, energy firms, and others who contribute to these countries’ critical infrastructure are all vulnerable to cyberattacks.

 

But too often, cybersecurity best practices aren’t consistent across these organizations. “Both public and private sector entities manage critical infrastructure at risk for cyberattacks, requiring a coordinated effort and information-sharing processes that currently do not formally exist in many states,” Deloitte describes. One organization’s vulnerabilities therefore can put the entire interdependent network of critical infrastructure organizations as well as nations themselves at risk.

 

In this article, we identify the unique vulnerabilities of these organizations and recommend the best cybersecurity tools, talent, and practices to protect them.

 

Organizations That Contribute to a Nation’s Critical Infrastructure

 

Hundreds of companies and public-sector entities contribute to a country’s critical infrastructure. These chemical, communications, energy, manufacturing, and other types of organizations all have unique vulnerabilities that require distinctive cybersecurity assets.

 

For example, chemical facilities are critical to national infrastructure because they produce essential products and materials used in other industries. Organizations that manage or own chemical facilities are responsible for the safety of their workers and the surrounding community, as well as the security of their digital and operational technologies.

 

Cyberthreats against chemical facilities can come from a variety of sources, including terrorist groups, nation-states, and individual hackers. As with other industries, chemical facilities have unique regulatory requirements both for general operations and as partners within an interdependent network of critical infrastructure-related organizations. “The Chemical Facility Anti-Terrorism Standards (CFATS) program works with the highest-risk facilities to ensure they have security measures in place to reduce the risks associated with certain dangerous chemicals,” as the Cybersecurity and Infrastructure Security Agency (CISA) of the United States reports.

 

Meanwhile, communications providers play a vital role in keeping federal, state, and local governments as well as related businesses and individuals connected. Communications providers are responsible for the security of their networks to protect these entities; they also must comply with a variety of laws and regulations, including those relating to cybersecurity, privacy, and consumer protection. Breaches in communication networks can not only create inefficiencies and connection losses; they can result in the theft of defense secrets or communications that can put free nations’ security at risk.

 

And energy companies provide the electricity that powers a nation’s critical resources, including military bases, public facilities, and other critical federal resources. Manufacturers and many other organizations provide critical resources to national infrastructure including materials for the construction of transportation systems and facilities as well.

 

These are only some of the types of organizations that contribute to national infrastructure. Each of these organizations must take steps to protect their facilities, network security, and sensitive data, and also remain compliant with the most recent cybersecurity requirements for private-sector partners. Their responsibilities to human life represent a growing concern as well.

 

The Risks of a Successful Cyberattack

 

A successful cyberattack against any of these organizations could have serious consequences, including:

 

.   Disruption of essential services: A cyberattack could disrupt the essential services that these organizations provide. For example, an attack on the power grid could cause a widespread blackout or an attack on a water treatment facility could contaminate the water supply.
.   Economic damage: A cyberattack could cause economic damage if, for example, it disrupted the operations of critical manufacturers or financial institutions.
.   National security implications: A cyberattack against any of these organizations could have national security implications if, for example, it resulted in the theft or destruction of classified information.
.   Loss of life: A cyberattack could result in loss of life if, for example, it disrupted the operation of critical aspects of national infrastructure such as hospitals or military communications. “By 2025, cyber attackers will have weaponized operational technology environments to successfully harm or kill humans,” as Gartner describes.

 

Recent incidents of cyberattacks against organizations have already driven disruptions of U.S. critical infrastructure. “in 2021, OT attacks successfully targeted a major gas pipeline, U.S. government agencies, a Florida water treatment facility, the world’s largest meat-producing plant, and multiple hospitals and healthcare systems,” as Forbes reports.

 

Attacks on private sector organizations have disrupted operational infrastructure critical to the wellbeing of a nation as well. The 2017 NotPetya malware attack disrupted the operations of several major companies, including Maersk and Merck & Co., “best known for its shipping containers” used globally, as I – Global Intelligence for Digital Leaders describes. The attack compromised “most of the company’s systems and applications while wiping out its access to almost all of its data.”

 

The diversity within the interdependent network of critical infrastructure contributors makes it difficult to create a full list of potential threats. Organizations that contribute to national infrastructure must take steps beyond the status quo to protect their networks from unauthorized access or intrusion. They must also ensure that they comply with all applicable laws and regulations, including those relating to cybersecurity, safety, and environmental protection.

 

Critical Infrastructure Cybersecurity Technologies and Best Practices

 

 

There are common cybersecurity best practices organizations across this network must adopt. Each of these best practices will have its own unique implications for those unique companies. Critical infrastructure for these organizations should include:

 

.   Data security: Organizations should encrypt sensitive data and limit access to it on a need-to-know basis. For example, data related to the operations of a power plant should be accessible only to those who need that data to perform their jobs.
.   Vulnerability management: Organizations should identify and patch vulnerabilities in their systems and applications. For example, companies that manage chemical facilities should patch any vulnerabilities that could be exploited to cause a chemical release.
.   Identity and access management: Organizations should control access to their systems and data using strong authentication methods. For example, U.S.-based communications providers must ensure that only authorized personnel have access to network infrastructure associated with federal operations.
.   Incident response: Organizations should have a plan in place for responding to cyber incidents. This plan should include steps for notifying law enforcement, containing the incident, and restoring operations. For example, manufacturers that contribute to critical infrastructure should have a plan for how they will respond if their factory automation systems are compromised. (Fortunately, “many incident response service providers offer training for internal teams on response actions, forensic investigations, and evidence collection,” Forrester reports.)
.   Cyber threat intelligence: Organizations should proactively collect and analyze cyber threat intelligence to identify potential threats and vulnerabilities. They should also share this information with other organizations that contribute to critical infrastructure so that they can be better prepared to defend against attacks.
.   Continuous monitoring: Organizations should continuously monitor their networks for suspicious activity. For example, manufacturers that contribute to critical infrastructure should use industrial control system (ICS) security monitoring tools to detect and respond to cybersecurity incidents.
.   Cybersecurity training and awareness: Organizations should provide cybersecurity training and awareness programs for their employees. These programs should educate employees on how to identify and report suspicious activity, as well as how to protect themselves from phishing attacks.

 

By following these cybersecurity best practices, organizations can help protect themselves from cyberattacks and ensure that they comply with government requirements. But critical infrastructure organizations must invest in appropriate cybersecurity technologies as well to realize these goals. Examples include:

 

.   Firewalls: Firewalls provide the first line of defense against attacks by blocking unauthorized traffic from entering an organization’s network. Recent advancements in firewall technologies, such as next-generation firewalls and application-aware firewalls, can help organizations detect and block more sophisticated, state-sponsored cyberattacks that threaten critical infrastructure organizations in particular.
.   Security information and event management (SIEM) systems: SIEM systems collect and analyze data from a variety of sources to help organizations identify potential security threats. For example, a SIEM system could be used to monitor communications network traffic for signs of malicious activity.
.   Intrusion detection and prevention systems (IDPS): IDPS systems detect and block malicious traffic before it can enter an organization’s network. For example, an energy company could use an IDPS to prevent attackers from accessing its control systems.
.   Endpoint security: Endpoint security products protect an organization’s computers and devices from malware and other threats. For example, multi-factor authentication (MFA) can be used to protect against phishing attacks.
.   Data loss prevention (DLP) systems: DLP systems help organizations protect their confidential data from being leaked or stolen. For example, a contractor who works with sensitive government information could use a DLP system to prevent sensitive data from being emailed to unauthorized recipients.

 

Organizations should also consider investing in cybersecurity insurance to help offset the costs of a cyberattack. By investing in these cybersecurity assets, organizations can help protect their networks and critical data from cyberattacks.

 

Securing the Right Cybersecurity Consulting and Implementation Partner

 

Realizing these capabilities requires the expertise of internal talent, but also external partners that allow for more robust and organization-specific cybersecurity capabilities. These partners “take a proactive role in your preparations for cyber conflict and defense,” as Forrester describes. “They’re incentivized to ensure that you receive the proper level of care contractually or specific to that technology.” When looking for a cybersecurity consulting and implementation partner, organizations should look for a partner who can:

 

.   Conduct cybersecurity assessments: The partner should be able to conduct periodic cybersecurity assessments to identify weaknesses in your organization’s cybersecurity posture.
.   Implement cybersecurity technologies: The partner should have experience implementing cybersecurity technologies, such as those listed above.
.   Manage vulnerabilities: Cybersecurity professionals who have experience with vulnerability management can help organizations identify and patch vulnerabilities in their systems.
.   Engage in threat hunting: Cybersecurity professionals who have experience with threat hunting can help organizations proactively identify potential threats, which is especially critical as new threats continue to emerge.
.   Provide incident response services: The partner should be able to provide incident response services to help organizations quickly contain and resolve incidents.

 

By working with a certified partner, organizations can help ensure that their cybersecurity posture meets the latest industry standards.

 

A Unique Organizational Ecosystem Demands Shared Responsibility

 

“If you’ve been looking to create a path for advancement for your high-performing security operations center (SOC) analysts or security engineers, now is the time,” as Forrester describes. Even so, cybersecurity is a shared responsibility across your critical infrastructure ecosystem; it is important for all organizations that contribute to critical infrastructure to work together to protect against evolving cyber threats.

 

By implementing the cybersecurity best practices described in this article, organizations can help safeguard their networks and critical data. In addition, by hiring cybersecurity talent and working with certified cybersecurity partners, organizations can further help improve their cybersecurity posture.

 

Partner with Uvation for Excellence in Critical Infrastructure Cybersecurity

 

Uvation is a leading consultant for organizations that contribute to critical infrastructure, helping cybersecurity teams like your own identify, secure, and maintain leading capabilities in your organization’s specific industry. Contact one of our cybersecurity experts today for a free consultation.