At the 2022 NATO Summit, US President Joe Biden and other world leaders committed to “building resilience against transnational threats,” particularly those that threaten cyberspace. This comes in the wake of the 3,900% uptick in cyberattacks targeting critical infrastructure — gas pipelines, steel production, logistics operations, and ship navigation, among others — between 2013 and 2020.
In fact, a recent act of sabotage derailed Northern Germany’s railway system when the critical cable system for the GSM-R rail communications network was harmed, causing a serious train traffic outage. While in this instance the damage was physical rather than in the cybersphere, the incident demonstrated malicious actors’ growing intent to take critical infrastructure offline with potentially widespread effects.
Cybersecurity, it seems, has joined the list of topics topping global discourse — in no small part due to the growing recognition of vulnerability in U.S. critical infrastructure. But what best practices can be adopted to help build cyber resilience?
As the digitization of critical infrastructure assets continues to accelerate across industries, attack vectors multiply, necessitating robust cybersecurity strategies. The following best practices can help build cyber resilience within the critical infrastructure sector tailored to the unique challenges of each industry.
Comply with existing industry-specific frameworks
First and foremost, critical infrastructure needs to abide by existing cybersecurity standards, namely the International Electrotechnical Commission (IEC) 62443 and the NIST Cybersecurity Framework. The former addresses cybersecurity for operational technology (OT) in industrial automation and control systems (IACS). The latter identifies typical system topologies, vulnerabilities and threats to OT business functions and recommends countermeasures to manage associated risks.
Implementing these generic security frameworks on their own, however, often yields more practical dilemmas regarding application due to the varied constraints inherent in each given business. In such circumstances, it’s essential to couple these baseline frameworks with industry specific standards that can comprehensively address the distinct challenges of a given sector.
For example, in the railway sector, CELENEC TS 50701 is a cybersecurity standard that addresses the unique issues specific to the rail and metro industry. Any cybersecurity protection for rail must, therefore, also adhere to this industry specific framework.
Assess organizational risk posture
The second step is evaluating risk position, a process that typically starts with asset discovery and network topology mapping. To fully understand what might be vulnerable and needs to be protected in any given infrastructure, it’s critical to conduct an inventory of all the systems that could be exposed to attack. Because these systems are largely interconnected, a vulnerability in one area could endanger the entire environment — essentially creating a domino effect.
An organization therefore needs to do a wholesale evaluation of their entire environment to determine which connected systems exist, and to accurately ascertain the risk profiles of the individual components and the overall system.
While a bespoke assessment usually comes following a security breach, it can be far more beneficial if done proactively instead of reactively — before any damage is done.
Identifying industry threats to critical infrastructure
While a generic approach to safeguarding critical infrastructure, and especially critical infrastructure operational environments, was once standard practice and largely sufficient for protecting systems of all types and sizes, this is no longer the case. Today, critical infrastructure requires specific strategies that address each of their unique cyber-physical systems (CPS). As accelerated digitalization prompts a convergence of otherwise siloed tech stacks — OT and IT environments — both need to be protected, lest the other remains exposed due to their interconnectivity.
Specific subsectors of U.S. critical infrastructure have varied cybersecurity needs. Rail technology, for example, uses unique protocols, utilizes very specific rail operating and safety principles, is dynamic in nature through coupling and uncoupling, and moves across geographies. For these reasons, generic cybersecurity solutions fall short and fail to address the unique needs of the operations control center (OCC) and security operations center (SOC) personnel. In short, without tailored, industry specific cybersecurity solutions, these unique critical infrastructure networks can remain unacceptably vulnerable.
Work smarter, not harder
When it comes to critical infrastructure, there can be no compromise with cybersecurity. One way to ensure that is to leverage cybersecurity strategies and solutions designed for the specific industry.
What started out as generic Internet of Things (IoT) and OT is now evolving into industry-specific categories addressing medical, maritime, rail and more, and the critical infrastructure field can expect other subcategories to emerge in the coming years. These categories require richer, context-specific asset databases and a greater awareness of industry operations and safety principles to ensure ironclad protection in the cyber realm.
Every hack on critical infrastructure is a good reason to bolster cyber resilience and fine-tune best practices: objectives best achieved by working smarter, not harder using industry knowledge.