Is Critical Infrastructure the Next Cyber Battleground?
Integrated risk management is key to securing critical infrastructure
In 2016, the Department of Homeland Security’s Incident Response team investigated 290 incidents covering all 16 designated critical infrastructure sectors, as defined in Presidential Policy Directive 21. Spear phishing led the access vectors, accounting for 26 percent, followed by weak authentication at 15 percent, and network scanning and probing at 12 percent.
Efficient communication, robust data collection, among other benefits are driving the integration of critical infrastructure (CI) industrial control systems (ICS) with traditional IT environments. Secure CI depends on an integrated risk management program that includes a plan for ICS devices. Traditionally, these devices were protected through network isolation or obscurity (obsolete operating systems that were unattractive to attackers). But today these systems are joining traditional IT devices on the network – leveraging current protocols, standards, and technologies that have known exploits. Leaving organizations and their critical infrastructure exposed.
ICS are among the most challenging devices to update when it comes to security as going offline for maintenance isn’t an option and archaic operating systems are not updatable. Vulnerabilities are not easily addressed as common countermeasures often don’t work. The increasing number of ICS-related incidents, including the attack on the Ukrainian Power Grid, underscore the importance of ensuring your integrated risk management plan is inclusive of all critical infrastructure.
Despite their unique nature, risk management and cyber security best practices apply when considering your ICS devices. To build an integrated risk management program for your CI, follow these key steps.
- Define the risk appetite, goals, frameworks, regulations, processes, and metrics for your program.
- Collect data and inventories of systems, users, interconnections, third-party partners, and more.
- Analyze gaps in compliance with your goals, frameworks, and regulations.
- Plan the action for each identified risk – accept, avoid, transfer, or mitigate.
- Remediate known gaps, assigning budget and resources needed.
- Report risk metrics and calculations and overall status for your organization.
- Assess progress toward goals and make timely, informed risk-based decisions.
- Improve where needed for continuous enhancement to your risk posture and compliance status.
TalaTek is a GSA HACS SIN-certified firm experienced in developing and maturing integrated risk management programs. Contact us to learn how we can help your organization apply a sound information security strategy across your environment. Reach us at firstname.lastname@example.org