Some systems and assets are so vital that their incapacity or destruction would have a debilitating impact on security, economic security, public health or safety, or any combination of those factors. This so-called critical infrastructure has historically faced many complex threats. In 2023, we can add growing concerns about cybersecurity to the mix. We asked this week’s Expert Panel Roundtable: What is the largest risk to critical infrastructure in 2023? How can we address it?
Decision-makers are preparing for physical attacks on critical infrastructure in 2023, as indicated by the 100-plus attacks on power stations reported in 2022. Multiple layers of effective intrusion protection must be put in place on-site to secure perimeters inside and out, along with critical core facilities and assets. To accomplish this, various automated and connected surveillance solutions can be integrated to go beyond just detecting intruders by also classifying, verifying, identifying, tracking, and deterring them, keeping sites free from intrusion, theft, and sabotage. Sophisticated network cameras today have powerful processing capabilities and can act as sensors to gather rich metadata and act as servers on the edge to communicate, control, and trigger other devices on the network. Switching the focus from ‘cameras’ to ‘edge devices acting as powerful, real-time sensors’ is the first step to building an optimised protection system for critical infrastructure this year and beyond.
Cybersecurity threats absolutely continue to remain a top concern. Unfortunately, cybersecurity is not a one-and-done investment; it’s an ongoing commitment and the best way to address it is to follow industry best practices with constant vigilance. Part of it is changing the mindset of some of these stakeholders and making them understand this isn’t something you invest in once and leave alone. A lot of vendors in this industry, including ourselves, put out cybersecurity-hardening guides, but putting those into practice takes work on the part of the integrator and especially the end user, as a lot of this comes down to how the system is configured, installed and secured. Leveraging the as-a-service elements of cloud can be a step in the direction of taking some of the burden away from the integrator and the end user.
Critical Infrastructure is a prime target for cyber-criminals, nation-state hackers and hacktivists because hacking is a cheap and low-risk way for them to make a big impact or receive a big payout. Consider the Colonial pipeline ransomware attack in 2021: The Nation’s largest oil pipeline was turned off causing gas shortages, a rise in fuel prices, and panic at the pump for many Americans. Similar attacks have been levied against other energy companies, food supply lines, nuclear facilities, water plants, and public transportation. To better protect themselves, these organisations need to follow the best practices listed by NIST; segment their networks, implement strong network security protections like properly configured firewalls, embrace the Zero Trust architecture, enforce Multi-Factor Authentication, encrypt data at rest and in transit, and invest in training their employees. The DHS CISA branch offers free penetration testing to anyone classified as critical infrastructure and has a ton of great resources online.
Without a doubt the biggest risk to critical infrastructure this year is from cyberattacks. Unfortunately, this method of attack is increasingly being adopted by criminals and even nation-states looking to gain an advantage alongside physical security incursions. The one downside of increased IT and security systems integration is that cyberattacks are more likely; however, there is much that can be done to level the playing field. Physical security systems such as CCTV/surveillance and access control are being hardened to attack along with the overall IT and facilities management systems. We have seen a big increase in the use of powerful encryption of physical security systems to tighten protection against these kinds of threats. The price of embracing the IoT and including multiple systems in the same network is greater vigilance, but the overall benefits make this a very worthy trade off.
The lack of observable controls or the absence of controls in critical infrastructure poses a significant risk for 2023. This is particularly pronounced in target-rich environments that have significant funding or staffing limitations, such as K-12 schools, hospitals, and public utilities. These infrastructure segments systemically do not have adequate budget to deploy modern information security controls, staffing to configure and maintain those controls, and appropriate staffing or automation to measure the effectiveness of those controls. This can be addressed through a gap analysis to determine which critical controls are missing or ineffective when compared to a reputable list such as CISA’s Cybersecurity Performance Goals, dedicating resources (staff and budget) to close those gaps, and then establishing an automated compliance operations process to continuously verify that the control is effectively mitigating risks.
One of the most significant risks to critical infrastructure is the potential lack of communication and collaboration between cyber and physical security teams that could allow threats like data breaches, natural disasters, and supply chain disruptions to wreak havoc. As the threat landscape expands and critical infrastructure continues to be a target for threat actors, silos between cyber and physical teams can result in a delayed response to threats. These separate teams need to have regular, collaborative discussions across departments to address this issue. These joint sessions may identify areas of similar concern, best practices, and methods each team uses to mitigate potential risks. This will lead to developing a holistic risk picture and implementing streamlined processes with common operating information that will provide a singular language, ensuring an effective response to threats. Working to create an environment promotes information sharing and common protocols.