Sector-Specific Cybersecurity for Critical Infrastructure

Share this post


As cyberattacks mature in scale and damage, protecting critical infrastructure grows more in importance every single day. Specifics are key in building a cybersecurity strategy, and different sectors must mitigate different risks. In today’s blog, we’ll discuss best practices for different critical infrastructure sectors.

Critical infrastructure at a Glance

Critical infrastructure is defined as the physical and cyber systems that are so essential to the nation, their incapacity or destruction would have devastating effects on the country’s operations, national security, and public health & safety. Cybersecurity for critical infrastructure is imperative for securing the essential services needed to run the nation. Attacks on these facilities and networks could have long-lasting, devastating effects.  

 

CISA defines the 16 critical infrastructure sectors as:

  • Chemical
  • Transportation systems
  • Energy
  • Government facilities
  • Commercial facilities
  • Critical manufacturing
  • Emergency Services
  • Communications
  • Dams
  • Defense Industrial Base
  • Financial Services
  • Information Technology
  • Healthcare and Public Health
  • Nuclear Reactors, Materials, & Waste
  • Waste and Wastewater Systems

Sector-Specific Cybersecurity

Specifics are key for building an effective cybersecurity posture, and this is especially true for critical infrastructure. Each sector is different, and although many are interdependent, the sector differences must be taken into account for their cybersecurity. The Cybersecurity & Infrastructure Security Agency (CISA) announced this November’s theme as “Critical Infrastructure Security and Resilience: Build it In.”

 The goal is to encourage all audiences to understand the importance of infrastructure security and resilience and build it into our infrastructure from initial design stages to implementation.

 

For this blog, we will focus on the sector-specific cybersecurity risks and for the following sectors and best practices for mitigation:

 

  • Water & Wastewater Systems
  • Commercial Facilities
  • Food & Agriculture
  • Critical Manufacturing

Critical Manufacturing

The critical manufacturing sector is composed of manufacturers whose products are essential for the economy and for the continuity of the other critical infrastructure sectors. Examples include transportation equipment, machinery, primary metals manufacturing, and electrical equipment, appliance, and component manufacturing.

This sector is typically a favored target for Industrial Control Systems (ICS) attacks, ransomware & various malware attacks. ICS attacks are when an outside entity attempts to gain remote access to the facility control systems, such as PLCs, SCADA, HMIs, workstations, servers, and much more. This can also extend to the facility HVAC, parking garage systems, Building Management systems (BMS), and much else. To mitigate this risk, facility leaders should invest in a real-time threat detection and monitoring platform for the facility. This is also a best practice for mitigating ransomware & malware risk. 

 

Critical manufacturers are also susceptible to supply chain risks. Supply chains are vast networks of vendors, partners, suppliers, and distributors. When sharing critical information and networks with these third parties, any vulnerabilities or attacks in the supply chain can have a domino effect on the other parties in the chain. Critical manufacturers can mitigate these risks in a number of ways:

  • Creating a supply chain risk management plan
  • Drafting security clauses for current and potential partners to adhere to
  • Investing in a cybersecurity platform that offers supply chain security management

 

The Department of Homeland Security is the designated Sector Risk Management Agency for this sector.

Water & Wastewater Systems

Waste and wastewater systems are a vast interconnected network that is absolutely critical for the nation.

This sector’s risks include ransomware & various malware attacks, Industrial Control Systems ICS) attacks, and aging, outdated infrastructure and systems. Aging infrastructure and legacy systems can be difficult to secure, as aging infrastructure can be expensive and timely to upgrade, and some legacy systems lack the ability for internet connectivity. ICS attacks are typically carried out by an outside entity attempting to gain remote access through various methods, often a Remote Access Trojan (RAT). 

RATs are a form of malware that gives an outsider administrative control over a targeted network and/or device. Leaders in this sector should invest in risk assessments to determine the current risks to their facility. An effective way to secure aging infrastructure is investing in a threat intelligence platform to monitor and protect the facility’s ICS and legacy systems. 

The Environmental Protection Agency is designated as the Sector Risk Management Agency for this sector.

Commercial Facilities

The commercial facilities sector encompasses a wide range of open public access facilities used for public recreation, shopping, business, lounging, and entertainment. 

Common risks to this sector are supply chain risks and risks to the Building Management Systems (BMS) in newer facilities. BMS are computer-based systems that monitor and control mechanical and electrical systems within the building, including parking garages, HVAC, electric entryways and exits, security systems, and much more. To mitigate BMS risk, leaders should invest in network intrusion detection solutions. Attackers will attempt to gain remote access to the BMS, often via a Remote Access Trojan (RAT). Enhanced visibility into the network is key to mitigating this risk.

The Department of Homeland Security is designated as the Sector Risk Management Agency for the Commercial Facilities Sector.

Commercial Facilities Sector.

Food & Agriculture

The food & agriculture sector is comprised of the nation’s farms, restaurants, and food manufacturing, production, distribution, and suppliers. This sector has a strong interdependence with multiple other critical infrastructure sectors.

Companies in the food & agriculture sector are susceptible to (and often a favored target for) supply chain risks from third parties. Supply chain risks Here are a few ways these risks can be mitigated:

  • Creating a supply chain risk management plan
  • Drafting security clauses for current and potential partners to adhere to
  • Investing in a cybersecurity platform that offers supply chain security management
 

It’s important to note that many supply chain attacks are carried out through ransomware and various malware attacks. A best practice for this sector for overall cybersecurity is a threat intelligence platform.

The Department of Agriculture and the Department of Health and Human Services are designated as the co-Sector-Risk Management Agencies for this sector.

Shared Risks

As seen above, ransomware is a risk shared by all the critical infrastructure sectors. Another shared risk among all the sectors is social engineering attacks. Human error has been identified as the leading cause of most known cyberattacks and is a favored vulnerability for outside attacks in critical infrastructure. 

Employee cybersecurity training and education are key in reducing the risks of human error. Noncompliance is another shared risk between the sectors. Devices and systems that are not in compliance and/or are not updated are a major vulnerability especially for well-known critical infrastructure companies since these companies tend to use more well-known and trusted systems for operations. For example, a larger company may use Windows operating systems. If there’s a vulnerability in non-updated versions of the OS, it is much more likely to be popularized on the internet, where malicious entities can see and exploit. 

Leaders should research their various industry, local, and federal government compliance standards, document current compliance levels and create a compliance management plan. A compliance management software or third-party service can also be used.  

Conclusion

It’s clear that critical infrastructure cybersecurity cannot be ignored. These critical systems and networks must be protected to uphold the nation’s important industries. Building cybersecurity into early design stages is the best way to ensure overall preparedness, but there is a multitude of ways to add cybersecurity long after implementation.

More Articles by Julie Security

Why Julie Security

We have you covered with full hands-on, end-to-end support

Pricing

No upfront investment needed.
Easy and fast onboarding.

Delivery

Continuous, predictable, and automatic cybersecurity.

Incident Response

Cyber-specialists ready to mitigate cyber-threats for your facility.

Juliesecurity Logo

Download a sample report

The best way to understanding our value is to see it with your own eyes. A risk assessment report is a powerful tool helping mitigate cybersecurity vulnerabilities.

Welcome to Julie Security

Map your OT and IoT assets. Monitor your networks. Protect your facility from cyber attacks. Do it with the Julie Security Intrusion Detection Platform.

By clicking the “Sign Up” button, you are creating a Julie Security account, and you agree to the
Terms of Use and Privacy Policy.