As a follow-up to our presentation at this year’s Defense One Summit, Michael Harttree, my engineering colleague, and I felt there was much more about critical infrastructure in federal agencies that needed to be stated. Not that our presentation was lacking, but looking back, we realize the general agenda focused too heavily on the “what if” and not the “what’s reality” of emerging technologies and trends.
The reality is that federal agencies are facing a clear and persistent threat to their critical infrastructure’s security and reliability. We feel strongly that we can help.
Critical infrastructure within federal agencies
While much of the “critical infrastructure” that we think of – such as pipelines, the electrical grid, and telecommunications – is owned and operated by the private sector, there is critical infrastructure within the federal government. In fact, CISA describes the “Government Facilities Sector” as “one of the largest and most complex” within the broader framework. When you think about the span of government facilities, from sensitive labs and data centers to military installations or “simple” office buildings, this characterization becomes obvious.
The cyberphysical security risks to federal agencies
Critical infrastructure assets are increasingly being incorporated into operational technology networks, and these networks are increasingly becoming internet accessible. This trend is for valid reasons since it allows remote operations and maintenance and accommodates a decentralized workforce. But due to the nature of OT devices (often legacy and/or not designed to defend themselves against malicious cyber activities) and the challenges (from people, processes, and technology) of securing them, it introduces significant risk. The NSA and CISA remark that “while the [malicious] behavior may not be technically advanced; it is still a serious threat because the potential impact to critical assets is high.”
Cisco as a technology partner
In our presentation at Defense One Summit and previous blog posts, Michael and I have maintained a sense of cautious optimism. Despite the public alarm on this topic, we feel strongly that these risks can be addressed, and the challenges overcome. There are outstanding resources, both from entities like CISA and from industry partners like Cisco, that can help you get started so that you, too, can share our optimism. Here are several that that can add strong value to your journey:
- CISA’s Government Facilities Sector-Specific Plan is a great place to start to understand the risks to your infrastructure and, probably more importantly, how to map cross-sector relationships and dependencies.
- The NSA and CISA released a joint cybersecurity advisory with six recommendations to reduce exposure across all operational technologies and control systems. Of note, one “immediate” recommendation was to create an OT network map. Cisco Cyber Vision will provide this map within minutes of installation.
- Cisco has published several resources, from our Industrial Security Design Guide to a white paper on extending Zero Trust to industrial operations to vertical specific validated designs, that you can download for free to reference.
- And finally, Cisco Cyber Vision is a lightweight but powerful visibility tool for the OT networks that support much of critical infrastructure. With it, you can take that immediate step of mapping your assets and communications that CISA and the NSA recommend. Download a free evaluation trial now!
I encourage you to check out these resources and leverage your technology partners to implement their recommendations. And if you found this valuable, please reach out to me if you have any comments or would like to begin the discussion of how we at Cisco can help you secure your critical infrastructure.