Critical infrastructure faces a myriad of threats, ranging from cyber attacks, to human error and natural disasters. Cyber-physical systems (CPS) are mechanisms controlled by computer systems, and may be tightly integrated with the Internet. As such, any critical infrastructure CPS can face additional threats. As they can affect the physical environment through power, safety controls, switches, and so on, they are attractive targets to cyber criminals.
CPS often contain components with limited processing power and bandwidth, making it harder to continuously monitor them. As a result, regularly updating them and installing security patches to stay on top of ever-evolving cyber threats also becomes more challenging. This is compounded by other factors that don’t often apply to more common technologies.
Patches and updates – No matter how well it was originally made, software needs maintenance. Applying patches and updates might require a system restart, which could have unwanted side effects. Devices within critical infrastructure often need 100% uptime. They may also be expected to operate for decades, which increases the risk that technology becomes outdated or obsolete.
Warranties and certifications – Critical infrastructure often relies on vendors to service custom devices. A guaranteed safe operation is the priority, not necessarily a secure operation. As time passes and configurations change, re-certification may also be necessary, which can be time consuming and expensive.
Remote access – To respond to issues, vendors often require remote access to systems. This provides convenience and cost savings, and can be a simple necessity if the system cannot be physically accessed. Safety is a priority, so security may be overlooked in order to grant vendors or engineers access.
Prototypes and custom configurations – Unique configurations may exist site-by-site, or even side-by-side in some instances. This reduces the likelihood that one solution can be used across the agency, and may even limit the ability to update or repair systems. Again, the focus will often be on safe operation, not secure operation of the equipment.
Steps critical infrastructure can take to protect itself
Agencies – and organizations of all types – should focus on proactively looking for vulnerabilities and sharing threat information. Remember that public and private organizations, vendors, and consumers are all in this together. Critical infrastructure organizations are also required to comply with the NIST Cybersecurity Framework, which outlines the requirements for managing organizational risk.
Accredited ISO 27001 certification will demonstrate that your organization is taking adequate measures to protect the private data it maintains. Achieving ISO 27001 certification by an independent auditing body can be challenging, which is why IT Governance offers the ISO27001 Certified Lead Implementer Online training course. This three-day course will provide you with the skills to implement an ISMS aligned with the international information security standard.