Developing a Critical Infrastructure Cybersecurity Strategy

cybersecurity2.jpg

Given the blossoming of attacks on organizations — from energy to health care firms — the need for robust critical infrastructure cybersecurity has expanded.

By now, the need for comprehensive cybersecurity for critical infrastructure is clear. Public accounts are widespread concerning the risk of malicious actors targeting the electrical grid, dams, voting systems and other federally designated critical infrastructure. But the majority of organizations that provide essential services have taken only incremental steps in addressing cyber risk. “Many [operational technology] organizations have pretty nascent cybersecurity programs,” said Sean Peasley, a partner at Deloitte. 

The term “critical infrastructure” initially referred to public works such as transportation infrastructure and public utilities, but, since the 1990s, the definition has steadily expanded. Sectors under the rubric now include, among other things, health care, energy and utilities, and various manufacturers. “And practically speaking, we’re finding out in the era of COVID, that critical infrastructure is even broader than we thought,” said Kieran Norton, a principal at Deloitte. Makers of personal protective equipment, for instance, play a role in mitigating the crisis. “We’ve also learned that supply chain disruption during a pandemic, for instance, could potentially be catastrophic,” Norton said. Not surprisingly, logistics firms have cemented their role as essential. The U.S. government has declared that pulp and paper and meat-packing industries are essential as well. So the overlap between critical infrastructure and operational technology (OT) security continues to blur. No matter what the name, few of the industries in this domain have reached a high degree of cyber-effectiveness, according to research on industrial security from the Ponemon Institute underwritten by TÜV Rheinland.

Traditional critical infrastructure entities may have decades of experience with traditional risk management and safety initiatives, but for many, cyberssecurity is a relatively new priority. And broadly speaking, organizations managing critical infrastructure tend to be slow moving. “My general experience is that OT security is about 10 to 15 years behind the IT security space,” said Andrew Howard, CEO of Kudelski Security.  

Meanwhile, the threat landscape for critical infrastructure organizations continues to grow more precarious. The number of attackers targeting such infrastructure is surging, as is the number of connected devices in many critical infrastructure environments. According to the X-Force Threat Intelligence Index 2020 from IBM, the volume of attacks on industrial control systems in 2019 was higher than the previous three years combined.  

Click HERE to view the original article.

Diana Tai