A New Day for Critical Infrastructure Security & Resilience

It’s a new Day for National Critical Infrastructure Security and Resilience.  While November is recognized as the month focused on this issue in the U.S., for some time, digital transformation has widened the aperture of our lens dramatically.

This year, led by the new Department of Homeland Security (DHS) Critical Infrastructure and Security Agency (CISA), the public and private sector are zooming in on collaborative resilience.  The accelerated convergence of information technology with operational technology running our Critical Infrastructure demands this new joint approach.

As CISA noted in its National Critical Functions, newly defined this year, “goods, people and utilities move in, out, and across the United States through distribution functions. Effective, safe, efficient, lawful, and responsive management drives our way of life, our economy, and the cohesion of our society.” Given such reliance on a dynamic global ecosystem, we must clearly identify our most trusted insiders and our most dangerous adversaries and build resilience accordingly. I believe DHS’ designation of National Critical Functions is a major step forward toward this resiliency approach.  I encourage readers to review the Interim Report recently issued by the DHS Information and Communications Technology Supply Chain Risk Management Task Force.

We must shift both our thinking and practice to effectively build resiliency and security into our critical infrastructure. Security must be approached from a layered perspective to address operational, cyber and physical risks together. Omitting any one of these important layer’s leaves glaring gaps in the security posture of our infrastructure.

Let’s explore a few fundamental building blocks:

While Access Management has traditionally been applied to IT systems, it is also uniquely applicable to any number of Critical Infrastructure aspects, such as its creation, operation and use.  Mapping who needs access to what and when is how we start.  The basics include:

  • Structuring teams and their respective access based on role
  • Ensuring that least privilege is applied, limiting access to the least amount of resources necessary to get the job done for a specific role
  • Applying that least privilege not just to information access, but also to physical access, operational control and authority. E.g. in a manufacturing plant, a camera sensor should not be allowed to control a robot outside of the camera sensor’s purview.

Verified Identity is essential to successful access management. After all, if we are granting access to the wrong person, tool or operation, we have failed. Methods for validation can range from passwords/passphrases, to electronic key cards to biometric identifiers. Methods should be deployed based on risk, e.g. an individual’s role and the operation to be undertaken.

Segmentation ensures that if one part of a network goes down, users can readily switch to another that is still functional, minimizing the failure’s impact. This concept, often used in minimizing information technology network disruption, should also be part of our infrastructure resiliency planning.  Consider these basic steps:

  • Establish a baseline of device configurations as a foundation
  • Start your systems segmentation with basic categories such as enterprise, plant and process
  • Once you have locked down your segments, identify the key connections which are essential to each function. Then comes the fun part: map your actual connections against your list of key connections needed. And then simplify, simplify, simplify.

Third Party Risk Management becomes even more essential in today’s distributed Critical Infrastructure environments. Critical Infrastructure relies upon, in part:

  • Third party cloud platforms digitally enabling operations controls, data storage and workflows
  • Consultants performing data mining and analytics
  • Equipment component suppliers
  • Service providers working onsite to install or maintain equipment

All these third parties impact the success or failure of the security and resiliency of the Infrastructure in which they play a role.

These basic building blocks, which must be deployed by all of us, are essential to operational success.  Resilient and increasingly secure Critical Infrastructure and services can only be achieved when we work together.

Additional Resources:

Critical Infrastructure Protection

Value Chain Security

The Trust Center