The Colonial Pipeline attack is the latest reminder that critical infrastructure needs stronger protection. The problem isn’t the lack of available cybersecurity solutions. It’s the opposite. With so many solutions available, deciding which ones will provide the most value can be overwhelming. It’s a similar feeling to how we felt as children in a toy store, while clutching our pocket money.

For basic protections, here are three actions that every critical infrastructure provider should take immediately.

Step 1 – Keep unauthorized people out

Numerous attacks on critical infrastructure can be traced back to a poorly managed user account. Maybe an employee or contractor jotted down login credentials for a rarely used account on a post-it. While that’s a violation of security policy, it happens all the time. If you don’t use multi-factor authentication (MFA), anyone who finds the post-it in a coffee shop can log in.

To prevent that scenario, start by creating a central directory (Active Directory or LDAP). Add an account for everyone and everything (camera, meter, etc.) that’s allowed to connect to the IT or industrial network. Then require MFA for every internet access attempt—a one-time code sent via email or SMS in addition to the login. Adopting MFA is relatively simple with the Cisco Duo cloud service because it doesn’t require any hardware or software. Duo also checks that devices like laptops or phones comply with your security policy before allowing them to connect.

Step 2 – Know who and what is on your network at all times

Do you know every asset that’s connected to your OT and IT networks? About half of the companies we talk to don’t. That’s a problem because you can’t protect what you’re not aware of. If you do know, how long before you find out that something foreign has connected—say, an unauthorized sniffer or access point? And can you see who has accessed which files and systems?

To automatically discover every asset connected to your OT network, use Cisco Cyber Vision. It also monitors industrial communications to detect abnormal behavior and raise alerts. To know what’s on your IT network, use Cisco Stealthwatch or Cisco DNA Center. To see who is moving what files to which systems, use Stealthwatch, and to analyze file trajectories, use FMC. In an earlier job, I managed security for product designs. If we had tools back then like we have now, we could have prevented a theft of intellectual property more effectively and with a less effort.

Step 3 – Minimize the blast radius by segmenting the network

When malware does sneak through the defenses, segmenting the network keeps the threat from spreading to other segments. The smaller the segment, the less the damage. The most basic step is to segment the industrial network from the IT network, by having an Industrial DMZ. Better, segment the industrial network into “zones” containing only assets that need to communicate with each other, using Cisco Secure Firewall ISA3000.  Eventually, you can make each device its own segment using Cisco Identity Services Engine (ISE) and our industrial ethernet switches. That’s the gold standard because you can build rules to strictly control which devices can communicate, under what circumstances.

Act before attackers do

The three steps I’ve outlined—access controls, visibility, and segmentation—go a long way towards securing critical infrastructure. They’re like the basic food groups. After that you can go back to the toy store to make cybersecurity continually stronger.

For more on securing critical infrastructure, check out these resources:

To get the latest industry news on IoT Security delivered straight to your inbox, subscribe to the Cisco IoT Security Newsletter.


Ruben Lobo

Director, Product Management

Cisco Industrial IoT