6 Cybersecurity Principles to Avoid Infrastructure Catastrophe
Critical infrastructure is at the core of a functional society, supplying key utilities such as water, energy, and transport to the nation. It makes infrastructure providers an attractive target, whether that involves nation-states seeking to score an objective or cybercriminals looking to extract a large ransom.
A successful attack can be hugely disruptive to a nation’s citizens and, indeed, deadly in the worst case. In a World Economic Forum survey of personal concerns amongst senior cybersecurity leaders, infrastructure breakdown due to a cyberattack was cited as the number one concern.
It means that infrastructure providers and the organizations that govern that infrastructure must leave no stone unturned in defending infrastructure. In this article, we outline eight key cybersecurity principles that infrastructure providers should include in their cybersecurity plans.
Define What Matters Most
When thinking about infrastructure, there is – as with any system – degrees of criticality. Some infrastructure is so systemically important that it would lead to immense harm if the infrastructure were successfully targeted. The harm factor may be less pronounced for other critical infrastructure, even if this infrastructure should be protected too (but perhaps with a lower priority).
Even within an infrastructure facility, it is important to distinguish between systems that are critical to protect (nuclear power control systems, for example) and systems that are important to protect but less critical (HVAC for a staff dormitory, let’s say).
Through defining and grading the criticality of systems, operators and regulatory agencies can apply cybersecurity resources where it is needed most.
Qualify, Qualify, Qualify
At some point in the infrastructure security journey, companies will rely on vendors to boost their cybersecurity. Qualifying these vendors is a key step. This could include a set procedure that infrastructure operators use to qualify vendors. For example, evaluating the security processes and controls in place at a vendor, and how repeatable the secure process and controls are.
Using outside experts to help with the vetting process is also advisable, whether by using external testing labs for equipment or eliciting the advice of a cybersecurity firm to help qualify hardware and software vendors.
However, it is critical that infrastructure providers do not see the vendor qualification process as just another compliance box to tick. The qualification process must be deep, robust, and thorough enough to truly secure the supply chain.
Get Intrinsic Security Right
Supply chain security is a key step in intrinsic security – you can’t secure what’s not within your remit, but at the same time infrastructure companies need to be highly proactive about the way they run security within their own organizations, including in how internal systems are configured.
As much as the Purdue Enterprise Reference Architecture is no longer as relevant as it used to be, it still holds key principles around the separation and segmentation of operational technology and industrial control systems. Infrastructure providers could look towards the Gartner IIoT framework or the ENISA model for a contemporary approach to building intrinsic security into critical infrastructure.
Leave No Stone Unturned When Patching
Unpatched vulnerabilities remain one of the biggest cybersecurity threats, as malevolent actors continue to rely on known, but unremedied weaknesses in systems to gain access. For infrastructure operators, it is a particularly tough challenge – as the technology in use sometimes cannot be restarted to apply a patch due to its critical nature.
Application whitelisting, ringfencing, and defending unpatched technology all help. Nonetheless, unpatched vulnerabilities pose such a critical danger that infrastructure operators should put maximum energy into patching software and devices.
This includes prioritizing unpatched devices and finding a way to patch the most critical devices. Applying novel solutions, such as live patching, is also key: for much of the operational technology and industrial IoT devices in use, live patching can deliver near-watertight patching outcomes with zero disruption.
Don’t Miss the Obvious
Critical infrastructure commonly relies on niche technology or legacy technology to function, all of which require a unique approach to cybersecurity. Nonetheless, infrastructure providers should also watch out for the obvious security risks that every other organization deals with, as these can open the door just enough for the lateral movement needed to mount an infrastructure attack.
This means covering the basics: from securing the tools used by admin staff (strong passwords, MFA, and the like) right through to securing cloud infrastructure, including by vetting the cloud vendors in use.
Rapidly React and Recover
We’ve seen time and time again how even the leaders of the technology world fall victim to cyberattacks. A successful cyberattack can happen to any organization, including critical infrastructure operators.
However, for critical infrastructure, reacting to limit damage and recovering rapidly is paramount given the role that critical infrastructure serves. Monitoring and detection enable rapid reaction, which means that an intruder can be stopped before real harm occurs.
Nonetheless, there should also be an assumption that an attack may succeed at any time. When the worst happens, a recovery plan is critical. A clearly defined and frequently tested recovery plan can help minimize the harm done to infrastructure provisioning during and after an attack.
That said, mounting a successful defense should always be the first priority. Through trusted suppliers, intrinsic security, and relentless patching – including live patching where possible – infrastructure providers can minimize the chance of a successful attack.