Best practices for securing critical and public infrastructure

The United States government defines the “critical infrastructure” as 16 specific sectors considered so vital to the U.S. that their incapacitation or destruction would have a debilitating effect on security, national economic security and national public health and/or safety.

The “public infrastructure” is a subset of the critical infrastructure and includes roads, bridges, public transportation and airports, drinking water and wastewater treatment systems, solid waste services and facilities, and other important utilities essential to communities to sustain life and to protect the environment, public health and safety.

Millions of federal, state and local agencies, as well as private and public entities are in the critical infrastructure and range from the one-person support businesses to millions-of-employee organizations. Most communicate in some way with other critical infrastructure entities, but few of them truly coordinate their security activities. The technologies they depend upon range from legacy to newer tools. And all have significant vulnerabilities, making them attractive targets for the threat actors wanting to disrupt society and/or obtain financial gain. 

Hacking and other cybersecurity threats to the critical infrastructure encompass a wide spectrum, including but not limited to, ransomware attacks, nation-state espionage, supply chain vulnerabilities, sophisticated malware, advanced persistent threats (APTs), AI-driven attacks, distributed denial-of-service (DDoS) attacks, phishing schemes and exploitation of vulnerabilities in associated systems. Additionally, there are physical threats and threats created by malicious insiders, and insiders who lack the training and awareness to be able to protect against as many of these threats as possible. Such threats pose significant challenges to national security, economic stability and public safety. 

Due to the significant physical and safety harms involved, organizations need to have additional security controls to ensure all parts of their ecosystems have all the security needed to effectively sustain life, protect the environment and public health and support safety.

All vulnerabilities in any digital ecosystems cannot be entirely eliminated, especially as more vulnerabilities are created daily even as others are eliminated. All threats can never be completely identified prior to their exploitation of the vulnerabilities; however, having a comprehensive security program can greatly assist in identifying and mitigating threats. 

History has demonstrated that these types of programs have long been woefully underfunded, resulting in significant vulnerabilities and putting the public at cyber, physical and safety risks as a result. 

These facts create significant security and privacy challenges to minimizing as many vulnerabilities and threats as possible, while supporting the availability of critical infrastructure resources and services.

Investments in robust, continuous and comprehensive physical, technical and administrative strategies are necessary to eliminate as many vulnerabilities and threats as possible and to mitigate the associated risks to a level that will protect the public from a wide range of harms. How to accomplish this, however, depends upon the digital ecosystem within each organization in the critical infrastructure sectors.

Some of the specific types of controls that are most appropriate to the risk environment of each sector include:

• Administrative controls. These are security controls primarily implemented and executed by people as opposed to technologies and physical mechanisms. Administrative controls include documented and enforced information security and privacy policies as well as associated procedures in each organization’s areas that support meeting the required policy outcomes. It also involves regular security training in addition to ongoing and frequent reminders for actions needed during daily work activities as well as risk management activities, such as performing risk assessments at least annually, and ongoing risk reviews of work areas and personnel activities. 
• Physical controls. These are security controls that provide physical barriers and access controls to protect the components within the information systems, limit physical access to work areas to only those who have a business need to be in those areas, and restricting access to buildings and related equipment to protect them from natural, human and environmental hazards and unauthorized intrusions. Protection in the field, to equipment and components supporting the public infrastructure are especially important to implement and manage on an ongoing basis for public safety. 
• Technical controls. These are security controls for systems, computing devices and associated components that are primarily implemented and executed through mechanisms contained in associated hardware, software and firmware. Software and firmware are increasingly vulnerable from coding errors and lack of supply chain transparency and security assurance, creating many risks, such as the insertion of counterfeit parts into mission critical hardware components, and injection of malicious software code. Also, if vulnerabilities in the supply chain and within any other part of technical security controls are exploited, the consequences can affect everyone using the associated technology or service. Such exploitations within the public infrastructure can be deadly, resulting in such outcomes as poisoned water systems and a loss of energy sources that people depend upon to live.

Entities supporting critical infrastructure components must implement a comprehensive set of administrative, physical and technical tools and practices specific for each associated product and/or service ecosystem. Anything less is not sufficient, and leaves the associated services and products highly vulnerable, putting the full public at risk.