Critical Infrastructure Protection: Securing the Foundation of Modern Society
Ever wonder what keeps society running smoothly? It's critical infrastructure. Things like power grids, water supplies, emergency services, and transportation networks are the foundation that support our modern way of life. If any part of this infrastructure is disrupted, it would have a devastating ripple effect.
That's why critical infrastructure protection is so important. As infrastructure has become increasingly connected, the potential attack surface for malicious actors has grown exponentially. Cyber threats like ransomware, data breaches, and denial-of-service attacks threaten to disrupt everything from electricity distribution to healthcare services to financial systems.
In this blog post we're looking at the importance of critical infrastructure protection.
What Is Critical Infrastructure and Why Does It Need Protection?
Critical infrastructure refers to the essential facilities, systems, and networks that provide vital services to a nation. Things like the electrical grid, water supply, emergency services, transportation, and communication networks. Without them, society as we know it would grind to a halt.
The infrastructure considered critical varies from country to country based on their unique needs and circumstances.
According to the Australian Government, the following infrastructure is considered critical:
- Communications;
- Financial services and markets;
- Data storage or processing;
- Defence industry;
- Higher education and research;
- Energy;
- Food and grocery;
- Health care and medical;
- Space technology;
- Transport;
- Water and sewerage.
It is essentially "the assets and services that underpin our society and on which we rely for our everyday business and lives."
So why does critical infrastructure need protection? Simply put, because any disruption has the potential for devastating consequences. Whether due to a cyber attack, natural disaster, or physical attack, damage to critical infrastructure can result in loss of life, economic catastrophe, and threats to national security.
The Stuxnet virus, Colonial Pipeline hack, Solar Winds hack, are all examples of how hackers have successfully disrupted critical infrastructure. These large-scale cyber attacks resulted in millions of dollars of losses and the compromise of critical systems and data.
In recent years, as infrastructure has become increasingly connected and digitised to facilitate innovation and growth. While this connectivity has increased efficiency and productivity, it has also made critical systems more vulnerable to cyber attacks.
Critical Infrastructure Cybersecurity Legislation
Critical infrastructure like power grids, water supplies, and transportation systems are increasingly targeted by cyber threats that could disrupt essential services. Governments around the world have passed laws and created agencies focused specifically on critical infrastructure protection. In this section we're exploring some of the key laws that exist to protect critical infrastructure.
The Security of Critical Infrastructure Act of 2018
This act was passed to manage risks related to critical infrastructure, making sure they are safe from cyber threats and other dangers.
It aims to achieve this by: (a) making it clearer who owns and operates critical infrastructure in Australia, helping us understand potential risks better; (b) promoting cooperation between different levels of government, regulators, and the owners and operators of critical infrastructure to work together in identifying and managing risks; (c) making sure the people responsible for critical infrastructure assets recognise and manage risks related to those assets; (d) setting stronger cybersecurity rules for important systems to make them better prepared for and responsive to cybersecurity incidents; and (e) establishing a plan for the government to respond to serious cybersecurity incidents. This Act is all about safeguarding our critical infrastructure from potential threats and improving our overall security. Source: Security of Critical Infrastructure 2018
This Act was also amended in two parts - once in Dec 2021, and again in April 2022. This amendment expands the sectors covered by the law to include defence, space, transport, food and grocery, higher education and research, healthcare and medical services, energy, financial services and markets, data storage or processing, water and sewerage, and communication sectors as critical infrastructure sectors from just four sectors (electricity, gas, water and ports) in 2018.
TSA Security Directive
The Transportation Security Administration (TSA) is the United States' principal agency for protecting the nation's transportation systems and ensuring the freedom of movement of people and goods.
After the Colonial Pipeline attack in May 2021, the TSA issued a security directive to improve cybersecurity in the pipeline industry. The new security rules require oil and natural gas pipeline operators to do a few important things:
- They have to send an updated plan for keeping their computer systems safe to the TSA every year. The TSA will check and approve this plan.
- They need to report the results of tests they've done in the past year, and they must also create a schedule for regularly checking that their cybersecurity measures work well. The TSA wants all of their security measures to be tested at least once every three years.
- They have to test at least two parts of their plan for responding to cyberattacks. People who are supposed to respond to these attacks need to practice every year to make sure they know what to do. These rules are in place to make sure our pipelines stay safe from cyber threats.
NERC CIP Reliability Standards
The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards aim to secure the bulk power system in North America. Utilities must comply with requirements like conducting risk assessments, implementing security controls, limiting access, monitoring systems, and developing response plans. Compliance is mandatory for most power grid operators.
Achieving and maintaining compliance with these complex regulations can be challenging. However, by taking a risk-based approach, critical infrastructure organisations can focus resources on their most important assets and systems. Strong cybersecurity ultimately leads to greater operational resilience and helps ensure that essential services remain available.
Achieving Operational Resilience for Critical Infrastructure
To achieve operational resilience, critical infrastructure organisations need to adopt a holistic cybersecurity strategy focused on risk management. This means identifying, assessing and mitigating vulnerabilities that could disrupt operations or services.
Assess Cyber Risks
First, conduct a comprehensive risk assessment to identify potential cyber threats, vulnerabilities and impacts. Evaluate both internal systems and external connections to identify weak points. Analyse the likelihood and severity of various attack scenarios.
Rank risks so you can prioritise mitigation efforts.
Develop Risk Management Plans
Next, create plans to avoid, reduce and mitigate risks. This includes procedures for preventing attacks, containing damage, and restoring operations if disrupted. Determine strategies for addressing different threat levels. Practice and drill response plans regularly to ensure effectiveness.
Implement Security Controls
Deploy technical, physical and administrative controls to protect systems and networks. Use firewalls, malware detection, data encryption and employee training. Control access with multi-factor authentication and least-privilege policies. Install intrusion detection to monitor for breaches. Stay up-to-date with software patches and system upgrades.
Build Resilience
Improve the ability to withstand and recover from disruptions. Build redundancies for critical systems and backup power supplies. Develop crisis communication plans to coordinate response and inform stakeholders. Conduct emergency response exercises to identify and address gaps. Work with vendors, suppliers and partners to ensure the resilience of interdependent infrastructure.
Achieving operational resilience requires ongoing effort and investment. But for critical infrastructure, enhancing cybersecurity and the ability to withstand threats is essential to providing vital services communities depend on. With comprehensive risk management, the right security controls and a focus on resilience, organizations can better protect infrastructure from cyber threats.
Conclusion
We all rely on critical infrastructure every day, often without realising it. Our way of life depends on them.
We all rely on critical infrastructure every day, often without realising it. Our way of life depends on them. Critical infrastructure protection is not an easy road but with the risks higher than ever, strengthening critical infrastructure security is fundamental to ensuring the functioning of society and protecting national security.
