Critical infrastructure

Securing the Global Killswitch: 5 Ways to Protect Critical Infrastructure From Attack

October 24, 2018 by Megan Sawle

As we wrap up the last week of Cyber Security Awareness Month, we turn our focus to protecting our nation’s critical infrastructure. The Department of Homeland Security categorizes 16 sectors as critical infrastructure, including important industries like energy, manufacturing and transportation. It’s easy to see why these sectors are so essential: without them, nearly every business in every industry would grind to a halt.

Today’s grid is both the backbone of our nation’s economy and its Achilles’ heel. Attacks like Crash Override and Stuxnet have prompted new discussions and initiatives around the globe to address vulnerabilities in our increasingly interconnected world. Fortunately, there are several actions we can take now to protect our critical infrastructure from cyber attacks.

Step 1: Support a Culture of Security Awareness

Technical advancements continue to transform how players in the energy and utility sector service our homes and businesses. As their technology environments increase in complexity and sophistication, so do the cyber threats and malicious actors targeting their employees and systems.

Energy and utility companies must foster a culture of security awareness to combat cyber threats targeting their organizations. Engaging security awareness and training programs teach employees how to detect, avoid and report security threats like phishing and other malicious content. To be effective, this culture must encompass all areas of the extended business and supply chain. Smaller utility providers who struggle to provide these services in house should explore partnerships with consultants and managed security service companies for assistance.

Step 2: Secure the Supply Chain

Today’s service providers leverage an extended supply chain to keep our lights on and water flowing. Bad actors map out these same supply chains and scan for weaknesses, using attacks like spearphishing on smaller, linked facilities to harvest credentials or install malware.

Organizations in the critical infrastructure industry must conduct thorough vendor risk assessments on all supply chain partners, especially those impacting the core business. Methodologies such as appropriate privileged access and robust authentication should be used wherever possible.

Step 3: Anonymize & De-Identify Data

As critical infrastructure adopts big data and machine learning to streamline processes and optimize energy consumption, service providers must work to keep this data out of the hands of malicious actors. Aggregation of data is a key issue in privacy. While still not a “silver bullet,” service providers can boost the impact of data anonymization and de-identification through good data governance. Specialist frameworks like the Health Information Trust Alliance (HITRUST) can help inform the use of de-identified data at any organization.

Step 4: Secure the Industrial IoT

Connecting industrial control systems (ICS) across multiple endpoints has created an interwoven threat matrix of new attack vectors and points of malicious entry. Types of attacks targeting these systems include espionage, data breaches, vandalism, physical damage and data tampering.

While these interconnected cyber-physical systems are here to stay, solid web-security measures can protect these systems from outside attack. Resources like ICS-CERT offer several best practices and training resources to help protect our critical infrastructure from cyber threats.

Step 5: Consult the NIST Framework

False data injection and malware are just a few of the ways bad actors can harm or shut down the grids powering our homes and businesses. Resources like NIST’s Framework for Improving Critical Infrastructure Cybersecurity provide security best practices and risk management guidance for energy and utility companies. Recently updated in April, the Framework includes information on:

  • Cyber risk self assessments
  • Cyber supply chain risk management
  • Improving account authentication, authorization and identity proofing

Download Our Whitepaper to Learn More

Want to dive deeper? Download our whitepaper, Critical Security Concerns Facing the Energy & Utility Industry, for an in-depth look at the critical infrastructure threatscape and practical tips to harden these critical sectors against attacks.

Download Whitepaper

Posted: October 24, 2018
Megan Sawle
View Profile

Megan Sawle is a communications and research professional with 10 years of experience in cybersecurity, bioscience and higher education. Megan leads Infosec’s research strategy, leveraging study findings to mature its cybersecurity education offerings and build awareness of cybersecurity diversity and skill shortage challenges. Since joining the team, she’s directed research projects on a wide variety of cybersecurity topics ranging from dark web marketplaces and phishing kits to the Workforce Framework for Cybersecurity (NICE Framework) and the importance of soft skills in cybersecurity roles. Megan is a University of Wisconsin-Stout graduate, an avid equestrian and (very) amateur mycologist.