The Cybersecurity and Infrastructure Security Agency (CISA) defines Critical Infrastructure as the essential systems and services that are the foundation of American society. They are so vital to our country that if incapacitated or destroyed, there would be disastrous consequences for public health, safety and economic security.
Our Critical Infrastructure includes highways, connecting bridges and tunnels, railways, utilities like water and electricity, food supply, healthcare infrastructure, buildings and related services, according to the Department of Homeland Security (DHS). Our economic survival and daily lives rely on these vital systems.
CISA was created to reduce cybersecurity and Critical Infrastructure vulnerabilities in the U.S. The organization works with businesses, communities and governments to bolster the country’s defenses in key sectors, making them more resilient to cyber and physical threats.
Spotlight on securing our nation’s Critical Infrastructure
In the first half of 2021, President Biden signed an Executive Order with the goal of improving and modernizing our nation’s cybersecurity posture, especially in Critical Infrastructure industries.
Both public and private sector entities are facing alarmingly sophisticated and malicious cyber activity along with a vast increase in less complex attacks like phishing which also can be crippling if not detected.
The White House fact sheet about the executive order states: “Much of our domestic Critical Infrastructure is owned and operated by the private sector, and those private sector companies make their own determination regarding cybersecurity investments. We encourage private sector companies to follow the Federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.”
A few of the ways the Executive Order will strengthen cybersecurity for our nation’s Critical Infrastructure include:
- Requiring providers to share breach information that could impact Government networks.
- Establishing a Cybersecurity Safety Review Board to analyze cyber incidents and make concrete recommendations for improvement.
- Creating a standardized playbook for cyber incident response so federal departments can take uniform steps to identify and mitigate a threat. The playbook will also provide the private sector with a template for its response efforts.
Steps to Critical Infrastructure cybersecurity protection
Analyst firm ARC Advisory Group recently reviewed requirements for securing critical OT systems. Their subsequent report included the following core recommendations for industrial companies:
- Review OT cybersecurity strategies to confirm that the basics are covered and deliver confidence that your organization can address sophisticated attacks. How frequently are installed base inventories assessed, for example? What detection, mitigation and backup/recovery systems are designed?
- Is cyber awareness training provided to all employees? What physical or product security steps have been implemented at the controller and device levels?
- Confirm that digital transformation efforts include adequate security from the start to reduce risks related to Internet of Things (IoT) devices, cloud services, remote workers, supply chains and third-party systems. Consider third parties to fill gaps in cybersecurity expertise. Cybersecurity talent is in notoriously short supply worldwide. It’s imperative to deploy effective infrastructure security solutions quickly and accurately and consulting firms with this expertise can provide expertise, saving an enormous amount of wasted effort and cost.
Cybersecurity gaps in Critical Infrastructure industries must be closed and many public and private organizations must address these issues with urgency.
Grant funding to be made available
Congress passed a bipartisan $1 trillion infrastructure bill in November 2021. Part of the infrastructure bill will provide billions of dollars in funding to CISA, the Environmental Protection Agency (EPA) and the Federal Emergency Management Agency (FEMA). All funding will be used for services and grants that help protect the country's Critical Infrastructure services, including at state and local government levels.
For example, there are provisions to assist electric grids and water/wastewater systems in strengthening their defenses against ransomware and other cyberattacks. Grants also support needed steps in an approved cybersecurity plan submission, like performing vulnerability assessments, malware analysis, or threat detection.
To be eligible for a grant, a cybersecurity plan must be submitted to the DHS for review, detailing technical capabilities and protocols for detecting and responding to cyberattacks. The plan would be required to meet certain baseline standards. (More information will be provided when published). Rockwell Automation’s cybersecurity assessment and planning protocols, based on the NIST framework for effective cybersecurity with categories of Identify, Protect, Detect, Respond and Recover, would be a logical way to begin.
Critical Infrastructure cybersecurity: a civic responsibility
Clearly, it’s time for both governments and private entities to reduce cybersecurity risk in Critical Infrastructure operations. The only roadblock is delaying action.
Rockwell Automation is committed to assisting Critical Infrastructure industries in achieving grant funding through the Infrastructure Investment and Jobs Act. Learn more about steps you can take today to be ready to apply.