How can we protect critical infrastructure sectors?

Cybersecurity is one of the most crucial workplace safety considerations today. As businesses implement more digital technologies, cyberattacks become more likely and potentially damaging. This trend is particularly concerning for critical infrastructure.

The recent Colonial Pipeline ransomware attack revealed how vulnerable critical infrastructure is to cyberthreats. While this incident cost nearly $5 million in ransom payments to mitigate, it was still relatively tame compared to what a similar attack could do. As cybercrime continues to grow, businesses and government agencies alike must secure this infrastructure.

Here are five ways to achieve that goal.

Understand the relevant risks

The first step to protecting critical infrastructure is knowing where its vulnerabilities lie. Without a thorough understanding of potential threats and their impact, you can’t expect to craft an effective defense strategy.

Cybercrime is a continually evolving practice, so no strategy can account for every possible threat. However, organizations can identify the most likely, significant and potentially damaging risks and create plans to mitigate those. This process starts with a thorough review of all a system’s endpoints, dependencies and past issues.

Penetration testing may be necessary to uncover hidden vulnerabilities that could jeopardize the infrastructure in question. Only 39% of organizations in 2020 said they were confident in their security posture. Pen testing can reveal if there's a reason for this lack of confidence, highlighting where infrastructure cybersecurity needs to improve.

Practice good cyber hygiene

In all critical infrastructure, human error is perhaps the most important vulnerability to address. No matter what a system’s technological defenses are, one mistake from an insider can compromise it. The Colonial Pipeline hack came from a single breached password, which better cyber hygiene could’ve prevented.

Requiring employees to rotate passwords and implementing multifactor authentication (MFA) are common steps that go overlooked. Another critical practice in this area is minimizing data access among employees and third parties. This will mitigate the risks each party poses if they suffer a breach.

Zero-trust architecture, which segments networks and verifies all data transactions before enabling them, may be necessary for the most vulnerable critical infrastructure.

Secure IoT devices

Another common vulnerability to address is Internet of Things (IoT) devices. IoT gadgets like smart sensors provide many benefits to critical infrastructure, but they bring many security risks. Most notably, each one is a potential route for hackers to access more sensitive devices and data on the same network.

IoT devices typically feature minimal built-in security, making them ideal entry points for hackers to access a network. Organizations can mitigate this risk by hosting these systems on separate platforms from mission-critical machines and data. That way, if a threat actor breaches an IoT device, they can only do minimal damage.

Changing default passwords and implementing MFA on IoT devices can further secure them. Turning on encryption, which typically isn’t on by default, will help, too.

Take advantage of technology

Given the risks that attacks on critical infrastructure pose, these systems should adopt the latest security measures. They can’t continue to rely on legacy devices and software and expect to stay safe against increasingly sophisticated attacks.

Automation is one of the most helpful new security technologies for these applications. Just as robotic welding improves quality and consistency in physical infrastructure, monitoring can improve the quality of infrastructure’s digital defenses. Automated threat detection systems can find and address risks humans miss and do so 24/7.

Other technologies are helpful, too. Confidential computing, which encrypts data during processing, can help secure IoT operations across critical infrastructure. Secure access service edge (SASE) can reduce network complexity, giving IT workers more visibility and control. This enables faster responses.

Establish emergency protocols

No matter what other steps an organization takes, it must also create an emergency response plan. Critical infrastructure is too important to assume its cybersecurity system will prevent all attacks. By contrast, formal, detailed emergency protocols can help mitigate a hack if it breaks through the system’s defenses.

While the 2021 Texas power outage didn’t result from a cyberattack, it highlights what a lack of resiliency can lead to. The incident led to 57 deaths and $195 billion in property damage, a tremendous loss that better preparedness could’ve prevented or at least mitigated. The same applies to cyberattacks.

Critical infrastructure networks must have emergency response plans for various situations. These should include mission-critical data and systems backups, communication channels, contingency plans and assignments of who should do what. Having such a plan will enable faster, more effective responses.

Critical infrastructure protection is essential

Critical infrastructure is essential for safety, even on a national level, and cybersecurity is a significant part of that. Any agency or organization that works with these systems should review its security policies to ensure it’s ready for these threats.

Each system carries unique considerations, but these five steps should apply everywhere. Businesses that follow these guidelines can protect the nation’s most vulnerable assets from cyberattacks.

ON DEMAND: A discussion of new data on trends in falls and updated resources from CPWR – The Center for Construction Research and Training and the OSHA-NIOSH-CPWR National Campaign to Prevent Falls in Construction.