Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
2x a month. No spam.
December 20, 2022 - Tech Evangelist
Critical infrastructure is at the core of a functional society, supplying key utilities such as water, energy, and transport to the nation. It makes infrastructure providers an attractive target, whether that involves nation-states seeking to score an objective or cybercriminals looking to extract a large ransom.
A successful attack can be hugely disruptive to a nation’s citizens and, indeed, deadly in the worst case. In a World Economic Forum survey of personal concerns amongst senior cybersecurity leaders, infrastructure breakdown due to a cyberattack was cited as the number one concern.
It means that infrastructure providers and the organizations that govern that infrastructure must leave no stone unturned in defending infrastructure. In this article, we outline eight key cybersecurity principles that infrastructure providers should include in their cybersecurity plans.
When thinking about infrastructure, there is – as with any system – degrees of criticality. Some infrastructure is so systemically important that it would lead to immense harm if the infrastructure were successfully targeted. The harm factor may be less pronounced for other critical infrastructure, even if this infrastructure should be protected too (but perhaps with a lower priority).
Even within an infrastructure facility, it is important to distinguish between systems that are critical to protect (nuclear power control systems, for example) and systems that are important to protect but less critical (HVAC for a staff dormitory, let’s say).
Through defining and grading the criticality of systems, operators and regulatory agencies can apply cybersecurity resources where it is needed most.
At some point in the infrastructure security journey, companies will rely on vendors to boost their cybersecurity. Qualifying these vendors is a key step. This could include a set procedure that infrastructure operators use to qualify vendors. For example, evaluating the security processes and controls in place at a vendor, and how repeatable the secure process and controls are.
Using outside experts to help with the vetting process is also advisable, whether by using external testing labs for equipment or eliciting the advice of a cybersecurity firm to help qualify hardware and software vendors.
However, it is critical that infrastructure providers do not see the vendor qualification process as just another compliance box to tick. The qualification process must be deep, robust, and thorough enough to truly secure the supply chain.
Supply chain security is a key step in intrinsic security – you can’t secure what’s not within your remit, but at the same time infrastructure companies need to be highly proactive about the way they run security within their own organizations, including in how internal systems are configured.
As much as the Purdue Enterprise Reference Architecture is no longer as relevant as it used to be, it still holds key principles around the separation and segmentation of operational technology and industrial control systems. Infrastructure providers could look towards the Gartner IIoT framework or the ENISA model for a contemporary approach to building intrinsic security into critical infrastructure.
Unpatched vulnerabilities remain one of the biggest cybersecurity threats, as malevolent actors continue to rely on known, but unremedied weaknesses in systems to gain access. For infrastructure operators, it is a particularly tough challenge – as the technology in use sometimes cannot be restarted to apply a patch due to its critical nature.
Application whitelisting, ringfencing, and defending unpatched technology all help. Nonetheless, unpatched vulnerabilities pose such a critical danger that infrastructure operators should put maximum energy into patching software and devices.
This includes prioritizing unpatched devices and finding a way to patch the most critical devices. Applying novel solutions, such as live patching, is also key: for much of the operational technology and industrial IoT devices in use, live patching can deliver near-watertight patching outcomes with zero disruption.
Critical infrastructure commonly relies on niche technology or legacy technology to function, all of which require a unique approach to cybersecurity. Nonetheless, infrastructure providers should also watch out for the obvious security risks that every other organization deals with, as these can open the door just enough for the lateral movement needed to mount an infrastructure attack.
This means covering the basics: from securing the tools used by admin staff (strong passwords, MFA, and the like) right through to securing cloud infrastructure, including by vetting the cloud vendors in use.
We’ve seen time and time again how even the leaders of the technology world fall victim to cyberattacks. A successful cyberattack can happen to any organization, including critical infrastructure operators.
However, for critical infrastructure, reacting to limit damage and recovering rapidly is paramount given the role that critical infrastructure serves. Monitoring and detection enable rapid reaction, which means that an intruder can be stopped before real harm occurs.
Nonetheless, there should also be an assumption that an attack may succeed at any time. When the worst happens, a recovery plan is critical. A clearly defined and frequently tested recovery plan can help minimize the harm done to infrastructure provisioning during and after an attack.
That said, mounting a successful defense should always be the first priority. Through trusted suppliers, intrinsic security, and relentless patching – including live patching where possible – infrastructure providers can minimize the chance of a successful attack.
Learn About Live Patching with TuxCare
Regulations and standards guide companies toward a consistent cybersecurity response....
Anyone that’s committed to a five-nines mandate will dread the...
Hackers frequently target payment card industry (PCI) data. To help...
Cybersecurity insurance policies are considered by many to be a...
It’s the making of a horror film: a cyberattack that...
As expected, 2022 was a tough year for cybersecurity, with...