The Biden administration recently issued a proclamation that designates November as Critical Infrastructure Security and Resilience Month. At a time when the global economy is still suffering from shortages due to severed supply chains and Congress just passed a major infrastructure initiative, the subject couldn’t be any timelier.
The administration’s proclamation highlights one of the most essential elements of this subject: digital infrastructure. From the launch of an initiative to build private sector partnerships on critical infrastructure cybersecurity to the focus on cyber threats alongside physical and climate threats, the U.S. government clearly recognizes that the word “infrastructure” doesn’t just refer to roads, bridges, and power lines. Just months after a massive cyberattack on Colonial Pipeline cut off gas supplies to much of the East Coast, a renewed emphasis on critical infrastructure cybersecurity couldn’t be any more pressing.
Critical infrastructure is one of the few areas where the private sector has an integral role to play in the defense of the country, which is why the administration’s proclamation calls for a “collaborative effort between the Federal Government and our private sector partners to significantly improve the cybersecurity of our critical systems.” Let’s examine a few of the ways companies can contribute to this effort and protect the systems that keep our country running.
Resisting an alarmingly clear trend
As infrastructure networks and systems become more interconnected and digitized, the number of vulnerabilities for threat actors to exploit is rising sharply. Check Point’s ThreatCloud database found that ransomware attacks recently surged by 300% over a nine-month period, while attacks on American utilities spiked by 50% in just two months. An article published by the World Economic Forum reported that over 60% of ransomware attacks “target industries with critical infrastructure, led by healthcare, utilities, and manufacturing.”
Cyberattacks on critical infrastructure have become so pervasive that a bipartisan group of lawmakers recently introduced a bill that would, as The Hill reports, “require federal agencies, government contractors and groups considered critical to national security — such as hospitals, utilities, financial services and information technology groups – to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours.” This is yet another reminder that companies and organizations across many industries and sectors are responsible for keeping the country’s critical infrastructure safe. Meanwhile, the recently-approved $1.2 trillion infrastructure package includes $1 billion in cybersecurity funding for state and local governments — the largest such investment in history.
But what are the best ways for them to do so? All the emphasis on cybersecurity won’t do much good if there aren’t concrete steps to make systems, networks, and the organizations responsible for overseeing them more resilient. With that in mind, let’s consider a few of the most effective ways to answer the national call to action on infrastructure cybersecurity.
Collaboratively defending our critical infrastructure
It’s difficult to think of many conjunctions of words that sound more intimidating than “infrastructure cybersecurity,” especially after a sequence of destructive attacks on major companies and the U.S. government. The complexity and scale of infrastructure systems, coupled with the potentially devastating effects if they’re breached, can lead to understandable anxiety among those responsible for preventing cyberattacks. But just as cybercriminals and other threat actors have more resources at their disposal than ever before, there are also plenty of powerful countermeasures to deploy.
The federal government spent $790 million more on cybersecurity in 2020 than 2019, while Gartner expects global spending on information security and risk management to surpass $150 billion this year – an increase of 12.4% over 2020. With cybersecurity budgets exploding, it’s important to consider the most cost-effective resources available. For example, there’s a reason CISA emphasizes training which provides participants with the “knowledge and skills needed to implement critical infrastructure security and resilience activities.” As Verizon’s 2021 Data Breach Investigations Report demonstrates, social engineering is the top culprit in breaches, the vast majority of which “involve a human element.” Training is the key to driving those numbers down.
Just as all-too-human mistakes pose a major risk to our critical infrastructure, employees can also be the most powerful guarantors of cybersecurity. As long as cyberattacks continue to rely on social engineering tactics like phishing to infiltrate infrastructure systems, well-trained employees will be on the front lines in the fight to prevent these attacks.
Preparing for an evolving threat landscape
As the cyberthreats to critical infrastructure rapidly evolve, the strategies for countering them will have to keep pace. For example, the shift to remote work has exposed companies to a wide range of new threats. A 2021 report by HP found that 30 percent of employees let someone else use their work device, 69 percent used personal devices for work, and 71 percent accessed company data more frequently when they worked from home. The vast majority of IT professionals say these behaviors make cyberattacks more likely, and 44 percent said they saw compromised devices being used to infect entire organizations over the past year.
A report by the Government Accountability Office (GAO) notes that modern infrastructure is “dependent on information technology systems to carry out operations.” As these systems become more distributed with the shift to remote work (as well as the huge increase in the number of IoT devices in use), organizations responsible for critical infrastructure cybersecurity will have to be more proactive about ensuring that employees are only using authorized devices; refraining from sharing those devices with others; guarding against credential theft with password managers, the use of VPNs, and multi-factor authentication; and consistently adhering to guidelines and requirements around data security and privacy.
Interconnected and digitized infrastructure systems offer countless advantages: real-time data reporting, greater efficiency, faster response times in emergencies, and so on. However, these systems are vulnerable to a wider range of cyberattacks than ever before. The only way to address the profusion of cyberthreats to critical infrastructure is to ensure that employees know what they look like and how to defeat them.