Critical Infrastructure Is a Local and Global Imperative
Protecting critical infrastructure is increasingly a global priority.
Consider the services that society counts on everyday—everything from the electric grid, to utilities, to transportation systems, to communications networks, and more. Increasingly, these vital systems face potential disruption from both natural and man-made disasters. Protecting the connected services of the information technology (IT) and operational technology (OT) systems that keep critical infrastructure running 24/7 is a top local and global imperative.
Which industries are most critical?
Department of Homeland Security (DHS) has named different industry sectors that possess, manage or maintain critical infrastructure. Maintaining the security of these critical infrastructure sectors is essentialto prevent cascading effects on other sectors, on the global economy, and on societies in the event of successful cyberattacks.
Click on circles to learn more about each life line sectors.
The world cannot function today without a reliable supply of energy. If the energy sector ceases to function efficientlyand effectively, other sectors will falter, too.
To address cybersecurity in both IT and OT environments, ABI Research estimates that the global spending on cyber protection of energy is expected to total $8 billion in 2018 and almost double to $15 billion by 2023. The majority of cybersecurity spending will be focused on the electric power grid, specifically to secure generation, transmission, and distribution as the most critical assets of the grid.
To learn how NACE is getting visibility into untrusted space with Forescout solution, read the case study
In addition to the electric grid, other “enabling” utilities and public services are greatly at risk of cyber-attacks. This broad sector includes public agencies that are responsible for providing clean drinking water to citizens, processing waste water and sewage, and removing and disposing of garbage from both private homes and commercial enterprises.
This sector includes emergency first-responder services, government activities that allow civic life to flourish, and a multitude of other services.
Forescout joined National Cybersecurity Center of Excellence (NCCoE) as technology collaborators in the Energy Sector Asset Management (ESAM) Project.
Transportation systems around the world are responsible for safely, securely, and cost-effectively moving people and goods across cities, states, countries, and continents. According to the US Department of Homeland Security (DHS), the transportation sector encompasses seven key subsectors, or modes, that must operate smoothly if societies and economies are to function:
- Highways and Motor Systems
- Maritime Transportation Systems
- Mass Transit And Passenger Rail
- Pipeline Systems
- Freight Rail
- Postage and Shipping.
Cyberattacks against transportation infrastructure—particularly airports—have been increasing recently. In September 2018, critical applications at the Bristol, England airport were taken offline due to a ransomware attack. In March 2017, the Atlanta airport—one of the busiest in the world—shut down its free WiFi network and disabled some of its website’s functionalities after a citywide ransomware attack took down the city of Atlanta’s network. Two Ukrainian airports were also affected by a variant of the Petya virus in 2017.
The Communications sector has been named as an enabling function.
Globally, this is a highly diverse segment that depends on earth-bound, satellite, and wireless transmission systems that are interconnected even as they are distributed throughout the world.
Although largely privately owned, this sector is heavily regulated by governmental mandates, and communications operators must work closely with local, regional, and even international governmental bodies to ensure that they operate in a way that benefits citizens, businesses, and public organizations alike.
This is a highly vulnerable infrastructure, as it has evolved over the past half century from voice-only transmissions to voice and data ones of all kinds data that can be highly sensitive to both consumers and businesses.
High Risk Secondary Sectors
Challenges & Complexities
Why securing OT critical infrastructure isn’t straightforward
Why haven’t critical infrastructure organizations found a comprehensive solution to be in compliance with with EU NIS, NERC CIP or DFARS / NIST or for providing comprehensive cybersecurity? The answer? Because it isn’t easy to come up with a uniform response.
Some of the contributing factors include:
Click on the circles below to find the contributing factors to critical infrastructure complexities:
Incomplete Asset Awareness
Critical infrastructure has been built upon many different types of technologies over the years. Many systems are decades old—developed well before the internet became mainstream. Many depend on hardware, software, and operating systems that aren’t compatible with today’s technology. In fact, many of these systems use proprietary operating systems, languages, and protocols.
Traditional network security tools do not easily detect, inspect, or classify OT assets, leaving large blind spots in security defenses. Hackers use tools that inspect for unsecured, internet connections, so it is often the unknown devices or devices with unknown status that pose the greatest risk to organizations.
Most critical infrastructure facilities lack a complete, up-to-date inventory of their OT assets despite the need for safety, security, and compliance. Ensuring 24/ 7 operations while maintaining diversity of technology, devices, and protocols, and the critical nature sensitivity of the OT equipment complicates asset management. But knowing what is on the network lays the foundation for a solid security practice.
Problems With Patching
Not Adapted For Critical Infrastructure
Active Security Measures
The SANS Industrial IoT Study shows that security patching is a top concern of organizations. They know it’s critical for safety—and even profitability—yet there are many difficulties inherent in doing it right. Chief among them: how to patch what needs to be patched without disrupting the rest of the critical infrastructure.
Indeed, rather than disrupt operations, many companies simply forgo patching and other important security measures. A Forrester and Forescout study showed that 59% of respondents were willing to take medium-to-high risks with regard to their security practices.
Legacy critical infrastructure equipment and operating systems weren’t designed to accept the “agents” that most network management and monitoring tools require you to install on individual devices. Such agents require frequent updates in the form of patches to stay current, and that simply isn’t possible in critical infrastructure environments where uptime is of utmost importance.
Active security measures, in which a security solution not only detects an issue or potential threat, but also automatically takes remediation steps, are essential in a traditional IT environment. But in OT environments, active security techniques could have the potential to disrupt control systems and could potentially impact business-critical operations. Any solution you deploy must first follow the adage: do no harm. Once an asset inventory has been completed and assets classified, those items that can safely support active techniques can be identified.
Not surprisingly, governments and other regulatory bodies have stepped in to establish guidelines and regulatory mandates to protect critical infrastructure. Three regulations in particular that are having significant global impact and merit special attention are the EU NIS and the U.S. NERC CIP and DFARS.
- EU NIS – European Union Network and Information Security Directive. Click here to download White Paper.
- NERC CIP – The US North American Electric Reliability Corporation Critical Infrastructure Protection. Learn more.
- DFARS/ NIST 800-171 – Defense Federal Acquisition Regulation Supplement (DFARS) , National Institute of Standards and Technology (NIST) 800-171 Framework. Click here to download the Solution brief.
- Regulatory Information by Country – UN article lists other regulations by country.
Critical Infrastructure Regulations Quick Guide
A quick guide on Crtical Infrastructure Regulations
Visibility is a foundational requirement of critical infrastructure cybersecurity and compliance. If a particular network asset isn’t identified, you can’t protect it from hackers. Some of the attributes to look for in cybersecurity solutions for critical infrastructure environments include the following:
- Performs non-disruptive asset discovery.
- Offers agentless, vendor-agnostic operations.
- Focuses resources where most threats occur.
- Performs continuous monitoring.
- Delivers controls and compliance on demand.
- Integrates and orchestrates with other solutions.
To learn more about challenges with securing critical infrastructure and how Forescout platform can help, download the white paper.
Considerations for Critical Infrastructure Security
A quick guide on Crtical Infrastructure security solution considerations