Critical Infrastructure

What is Critical Infrastructure?

Critical infrastructure encompasses all assets, systems, and networks—both physical and virtual-that are vital to the proper functioning of a society’s economy, national public health or safety, security, or any combination of these factors. This broad definition includes various sectors crucial for sustaining a nation’s well-being and security.

Examples of critical infrastructure sectors may include:

• Food and agriculture
• Transportation systems (e.g., roads, railways, highways, airports)
• Internet and mobile networks

Critical infrastructure is essential for meeting basic living needs, and while it shares similarities across nations, the specific infrastructure considered critical can vary based on a nation’s unique needs, resources, and level of development. In the United States, much of this physical and cyber infrastructure are owned and operated by the private sector, although some is owned by federal, state, or local governments.

What are Critical Infrastructure Sectors?

In the U.S., critical infrastructure is divided into 16 sectors, each essential to the nation’s functioning. Guidance for the definition and management of these sectors comes from Presidential Policy Directive 21 (PPD-21), with risk coordination overseen by the U.S. Department of Homeland Security (DHS) through the Cybersecurity & Infrastructure Security Agency (CISA). The sectors that make up U.S. critical infrastructure include:

• Energy
• Water and Wastewater Systems
• Transportation Systems
• Food and Agriculture
• Healthcare and Public Health
• Emergency Services
• Chemical
• Commercial Facilities
• Critical Manufacturing
• Dams
• Defense Industrial Base
• Financial Services
• Government Facilities
• Information Technology
• Communications
• Nuclear Reactors, Materials, and Waste

In Europe, critical infrastructure sectors are defined by the European Programme for Critical Infrastructure Protection (EPCIP), aligning with EU COM(2006) 786. In the United Kingdom, policy and preparedness for critical infrastructure are monitored by the National Protective Security Authority (NPSA).

While assets and regulatory landscapes may vary, there is a broad consensus among members of the Organization for Economic Coordination and Development (OECD) on common critical infrastructure sectors, policies, and loose frameworks. This agreement highlights the shared recognition of the importance of safeguarding critical infrastructure, despite the diverse assets and evolving regulatory requirements across different countries.

Understanding the Role of Compliance in Critical Infrastructure

Compliance plays a crucial role in the realm of critical infrastructure, where governments and regulatory bodies have intervened to establish guidelines and mandates aimed at ensuring cybersecurity practices. Three significant regulations, the EU-NIS (European Union Network and Information Systems) Directive, the DFARS (Defense Federal Acquisition Regulations Supplement) and the U.S. NERC-CIP (North American Electric Reliability Corporation Critical Infrastructure Protection), have global implications for critical infrastructure cybersecurity.

1. EU-NIS Directive:
   The EU-NIS Directive, proposed in 2013 and enacted in August 2016, focuses on achieving a high common level of cybersecurity for critical infrastructure across European Union member states. It sets goals to improve national cybersecurity capabilities, enhance cooperation between member states, and mandate operators of essential services (OES) and digital service providers (DSPs) to adopt appropriate security measures. Entities such as providers of electricity, transport, water, energy, healthcare, and digital infrastructure services fall under its scope. Noncompliance can result in substantial fines.
2. NERC CIP:
   In the United States, critical infrastructure industries are subject to industry self-regulation or government regulations specific to each sector. NERC CIP, focusing on cybersecurity, stands out with more than 100 standards and requirements for safeguarding critical infrastructure assets in the nation’s bulk electric systems. Noncompliance with NERC CIP standards can incur significant penalties, with the potential for fines of up to $1 million per day per violation. System availability takes precedence, influencing the choice of cybersecurity technologies and techniques used in critical infrastructures.
3. DFARS:
   The Department of Defense (DoD) emphasizes the protection of federal infrastructure by requiring all contractors processing, storing, or transmitting Controlled Unclassified Information (CUI) to adhere to DFARS minimum security standards. NIST 800-171 provides a framework for companies conducting business with the DoD to safeguard CUI. Compliance is crucial for maintaining DoD contracts, representing a significant portion of many companies’ annual revenue.

What are the Challenges to Critical Infrastructure Security?

The challenges to critical infrastructure security have escalated with the rise of digital transformation, creating a more interconnected world where cyberattacks pose significant threats to national security. The interconnectivity within networks, spanning governments and trusted third-party vendors, exposes critical infrastructure to potentially devastating attacks. These sophisticated attacks not only put these systems at risk but also can facilitate espionage, intellectual property extraction, and compromise networks for future exploits.

Despite the crucial need to protect critical infrastructure, businesses face several challenges in its implementation:

• Complexity: Critical infrastructure systems are often complex and interconnected, making them vulnerable to sophisticated cyber threats.
• Legacy Systems: Many critical infrastructure sectors still rely on outdated technologies that may lack robust security measures.
• Regulatory Compliance: Compliance with various regulations and standards can be a daunting task for organizations responsible for critical infrastructure.
• Resource Constraints: Limited budgets, personnel, and time can hinder the implementation of comprehensive security measures.

Choosing the Right Critical Infrastructure Security Vendor

When selecting a critical infrastructure cybersecurity vendor, it’s essential to consider attributes that align with the unique challenges and operational requirements of these environments. Here are key factors to look for in a cybersecurity solution for critical infrastructure:

• Non-Disruptive Asset Discovery: Prioritize solutions that perform non-disruptive asset discovery, as critical infrastructure operates 24/7. Active techniques with the potential to take equipment offline should be avoided. Passive techniques for asset discovery and classification enable the building of an accurate, foundational inventory of asset intelligence.
• Agentless, Vendor-Agnostic Operations: Opt for solutions that operate without agents and are vendor-agnostic. Critical infrastructure environments often have a mix of equipment from different vendors with varying levels of IT functionality. A solution that works across all device types and vendors, even those not relying on the 802.1X protocol, is crucial for flexibility and cost-effectiveness.
• Focus on IT Layers and Continuous Monitoring: Look for solutions that focus on IT layers where most security risks occur in critical infrastructure. Continuous monitoring is essential to provide real-time device intelligence and status updates. An effective solution detects anomalous activities and takes appropriate action based on predefined security policies.
• Risk-Mitigating Controls and Compliance on Demand: The chosen solution should identify and classify devices upon network connection, ensuring compliance with security policies without disrupting devices. This approach follows best practices for securing network devices while maintaining the availability of critical systems.
• Integration and Orchestration Capabilities: Prioritize solutions that can be integrated and orchestrated with other cybersecurity vendors’ solutions. In heterogeneous environments with multiple security products, coordination and interoperability are crucial for organization-wide security responses. A vendor with a broad partner network enables accelerated response, operational efficiencies, and superior security.
• Scalability to Millions of Devices: Considering the expanding number of IoT and OT devices in critical infrastructure, choose a solution that can scale to millions of devices in a single deployment. Scalability ensures that the solution can effectively handle the growth of devices without compromising performance.

By focusing on these considerations, organizations can select a cybersecurity vendor that aligns with the specific needs and challenges of critical infrastructure, providing robust protection without disrupting essential operations.

How Forescout Can Help Secure Critical Infrastructure

Dedicated to fortifying critical infrastructure security, Forescout offers continuous, real-time visibility within Industrial Control and Operational Technology Systems. It seamlessly generates detailed network maps, organizing devices by roles or networks. An innovative framework prioritizes mitigation strategies, proactively identifying vulnerabilities in Operational Technology devices and protocols.

This proactive solution actively monitors network communications, swiftly identifying cyber threats through a security risk scoring system. Leveraging deep packet inspection and continuous policy monitoring, it maintains a vigilant stance against evolving cyber threats. Ensuring compliance with the NIST Cybersecurity Framework, it elevates maturity levels across key functions, encompassing asset identification to rapid response.

In capturing comprehensive device details, including network addresses and vendor information, it facilitates well-informed decision-making. Automatic assessments of vulnerabilities, threat exposure, and operational issues empower proactive risk management. Operational risk scores and an Industrial Threat Library rapidly pinpoint assets needing attention, establishing a robust defense against cyber threats and operational disruptions in critical infrastructure environments.

Fortify resilience and stay ahead of new risks and guidelines. Schedule a personalized demo today.