Avatar

Emory Miller Critical Infrastructure Government Cisco

Guest Author:

Emory Miller

OT/ICS Lead, Cisco U.S. Public Sector

 


2021 has seen the term “critical infrastructure” rise above the constant noise of our ever-connected world. Perhaps you’ve noticed but aren’t entirely sure what the term means, how it applies to you, or how concerned you should be. If so, it’s time to get up to speed on what it means for your organization. By doing so, you can develop the right strategy to connect and secure our future.

What is critical infrastructure?

In the United States, the term critical infrastructure was codified in 2001 by the Patriot Act. Since then, it has been updated several times. It identifies 16 sectors – both public and private – that the U.S. Government considers vital to our nation. The code states “that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” Basically, these are the sectors and services we rely on to live a modern life in the United States. Because these sectors are so broad (the “Government Facilities Sector” encompasses more than 900,000 assets over 85,000+ local governments), there’s a strong chance that you, the reader, work in one of them.

The basic point is that our society relies on a staggering number of inputs to function properly. And it’s not a stretch to argue that our society would face existential challenges if those inputs began to disconnect or disappear. Most of us have experienced temporary disruptions in one of these sectors. This includes the occasional error in checking an online banking statement or a multi-day power outage after a storm. Or perhaps a week-long fuel shortage after, ahem, a cyber incident. But what we haven’t experienced is a persistent event across multiple sectors spanning a broad geographic area; the horrific consequences of such an event make me believe that saying we must “safeguard our present and future” isn’t hyperbole.

Acting with optimism

We all know these attacks are happening and must be stopped. But doing so requires resources. So where is the disconnect between this understanding and action? Part of the disconnect is a misalignment of mission, driven by the “out of sight and out of mind” nature of critical infrastructure. Another part of the disconnect is a sense of “doom and gloom” around the magnitude of the problem. We can’t let that attitude keep us from acting. Here’s why I’m cautiously optimistic though about the future of the infrastructure that enables our civilization:

  • As with all widespread problems, the first steps toward a solution is simply acknowledging the problem and assessing its magnitude
  • Years of investment in government and industry have produced solid methodologies (Cisco has made this a focus area) and technology products to counter these attacks
  • Building from above, it’s easier now than in the past to build operational networks securely and to secure legacy networks.

That’s why I believe you should be concerned about the state of our critical infrastructure; but that concern should be countered by a sense of hope.

How to better understand your critical infrastructure

I encourage you to explore your organization to better understand your sphere of influence and your dependencies. You can start by taking action in the following ways.

  • Do you work in a sector deemed critical? Here’s how you can tell. If not, it’s almost certain that your organization depends on other sectors to meet its mission. And in that case, it’s worth mapping out those dependencies to understand how they affect your mission.
  • If you’re in a decision-making position, I strongly encourage you to leverage your technology partners to achieve foundational security as you build the operational technology (OT) networks in critical infrastructure; view this moment as an opportunity to get things right up front rather than repeating the mistakes of the past.
  • Reverse your perspective to that of a bad actor and ask, “why would my organization be targeted?” Performing this thought experiment allows you to better visualize your weaknesses and identify what type of intelligence or actions you need in order to counter them.
  • If you have an existing network, I encourage you to check out this blog post by Michael Harttree titled Industrial Security: Where to Start? Mike is my engineering colleague here at Cisco, and in the blog he discusses the immediate steps you can take to put your organization on firmer footing.

Additional resources