Are you using the available $1 billion to patch critical infrastructure vulnerabilities?

Critical infrastructure organizations need to use the $1 billion in Department of Homeland Security funding to bolster cybersecurity for critical infrastructure vulnerabilities.

By Wayne Dorris June 10, 2023
Image courtesy: Brett Sayles

 

Learning Objectives

  • Understand which industries are getting $1 billion in cybersecurity help and why critical infrastructures are at risk for cybersecurity threats.
  • Review vulnerability management best practices and how adapting more robust cybersecurity outweighs cyberattack costs.

Cybersecurity insights

  • Each critical infrastructure industry faces unique compliance challenges and complies with different regulations, and all are prime targets for cybercriminals.
  • Regulations represent the minimum level security, but going beyond those requirements is a good idea for most businesses because the attackers they face are sophisticated.

The Department of Homeland Security announced distribution of $1 billion to fund critical infrastructure cybersecurity efforts in September 2022. This necessary movement towards cybersecurity goes with more industries undergoing digital transformation. While the government is taking cybersecurity threats seriously, it is not as simple as throwing money at the problem. Significant challenges in critical infrastructure have led to slow implementation of cybersecurity solutions and best practices.

Which industries are getting this cybersecurity help?

As defined by DHS, critical infrastructure has 16 sectors: chemical; commercial facilities; communications; critical manufacturing (primary metals manufacturing, machinery manufacturing, electrical equipment, appliance and component manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials, and waste; transportation systems; and water and wastewater).

Because of the many industries, it is difficult to zero device one strategy to meet the needs of each sector. Each faces unique compliance challenges and complies with different regulations, but all are prime targets for cybercriminals. As the physical security and cybersecurity worlds continue to converge, organizations need to ensure devices have the necessary solutions in place to address today’s most pressing threats.

Why are critical infrastructures at risk for cybersecurity threats?

Critical infrastructure faces a wide range of cybersecurity threats, from small-time hacker groups seeking a quick payout to nation-states seeking to cause real, lasting damage. Security devices like internet protocol (IP) cameras and other sensors often are used to protect physical locations, but, today, any device connected to an organization’s network represents a potential attacker entry point. This means modern critical infrastructure organizations need to ensure devices used for physical security include a cybersecurity component that meet today’s regulations.

Regulations represent the minimum level security to satisfy government regulators but going beyond those requirements is a good idea for most businesses. Investment in cybersecurity reduces the overall risk organizations face, and it also can help them be more effective in their business or face down organization-specific threats. Different critical infrastructure industries face a wide range of threats, and often have a better grasp on how to deal with them than broad, overarching regulations.

Another sticking point in the push for comprehensive cybersecurity is the struggle between information technology (IT) and operational technology (OT). For cybersecurity to be effective across all systems, IT and OT need to work well together. For the most part, IT and OT have combined at the top level, but they’re struggling to merge everything. OT often runs on older infrastructure, which has different requirements and isn’t as easy to update. IT is used to dealing with maybe three or four operating systems, while OT is dealing with thousands, which can necessitate a piecemeal approach to security. What’s more, personnel challenges persist for many organizations, and a lack of IT and security knowledge can hamstring implementation. OT and IT need each other more than ever. This isn’t an issue with a broad fix, and organizations will need to begin a culture shift by asking OT and IT to sit down together and pinpoint what each team does and the source of each team’s issues. The collaborative approach necessitated by digital transformation starts with common ground. Because of digital transformation, IT and OT may find they have more common ground than ever and share more problems and solutions than previously thought.

Getting IT and OT on the same page cannot wait because cybercriminals aren’t waiting.

Vulnerability management best practices versus cybercriminal exploits

With how rapidly digital transformation has taken hold, many organizations have been slow to adopt good vulnerability management practices. Cybercriminals move much more quickly, and they have been happy to exploit the new vulnerabilities. The SolarWinds attack was a major wake-up call for many in critical infrastructure, and the ability of an attacker to exploit an unseen vulnerability and cause massive disarray has led to new industry regulations mandating increased transparency. Any entity doing business with the government or receiving government funds is required to provide transparency in its software.

Today, responsible developers or device manufacturers are expected to provide a software bill of materials (SBOM), which will explain what is in the software itself and how it’s used. The theory behind this degree of transparency is to allow for vulnerability scanners to do their jobs. A vulnerability scanner cannot detect a vulnerability it doesn’t even know to look for. For this same reason, open-source components are becoming more popular in the security industry. Open-source code has no secrets; any vulnerabilities can be identified and patched.

The government is stepping in to fund cybersecurity improvements, but this comes with the expectation that certain requirements are being met. Department of Homeland Security (DHS) teams conduct assessments for organizations in critical infrastructure, which means most should have a fairly clear idea of priorities. The Cybersecurity and Infrastructure Security Agency (CISA) also publishes a list of guidelines, including recommendations for where critical infrastructure organizations can get the most return on investments. In the past, it was up to organizations to figure out how to meet those recommendations. The government’s new willingness to help fund cybersecurity initiatives has put more effective solutions within reach for organizations that need them.

Adapting more robust cybersecurity outweighs cyberattack costs

With cybersecurity, it is only a question of when, not if, a cybercriminal will get an organization. Adaptation is not painless, but it outweighs the cost of a devastating cyberattack. In the past, the government would provide assessments. With this funding distribution, the means are provided. Critical infrastructure organizations no longer have an excuse; they need invest this new funding into actionable steps to address vulnerabilities.

Wayne Dorris, CISSP, is program manager of cybersecurity, Axis Communications. Edited by Mark T. Hoske, content manager, Control Engineering, CFE Media and Technology, mhoske@cfemedia.com.

KEYWORDS

DHS, cybersecurity, protecting critical infrastructure

CONSIDER THIS

Are you investing to decrease cybersecurity risks or risking losing your investments?

ONLINE

Wayne Dorris discusses ransomware threats with Industrial Cybersecurity Pulse, a Control Engineering sister publication.


Author Bio: Wayne Dorris, CISSP, is program manager of cybersecurity, Axis Communications.