Critical Infrastructure and Public Protection Strategies: Part 1
By Sean Atkinson, Chief Information Security Officer
The Department of Homeland Security (DHS) has defined 16 critical infrastructure sectors in the U.S. IT professionals can utilize best practices to contribute to the overall safety and security of these sectors. Threat analysis should consider the likelihood of a particular group or categorization of cyber adversary.
Once defined, the tactics, techniques, and procedures that are used by such organizations are areas that need to be guarded. But it doesn’t stop there. Even after the most likely adversary is identified, the process should be to utilize best practices to eliminate the threat posed by any threat actor.
Resilience and good cyber hygiene can protect our values, industries, and services. Here are some tips that can be used by both those who work in critical infrastructure and the public.
Manufacturers and private owners should be applying cybersecurity best practices to their information systems and industrial control systems. Awareness of the threat and the interdependency of the supply chain of critical services that are supporting other critical services is key.
Tip: “See something, say something.” If something seems out of place or suspicious, use caution and good judgment.
Commercial Facilities Sector
This critical infrastructure component has eight subsections and ranges from most hotels to retail to media. Media includes music, movies, and other forms of electronic content. Do not engage in piracy or attain IP that is not purchased through reputable retailers. Downloading from nefarious websites is a major vector for infecting your systems as well as contributing to illegal activity.
Tip: Be aware of potential threats on point of sale systems. Card readers implanted on legitimate devices can compromise credit card information. Make sure that the card reader is sturdy and nothing is stuck over the top. In some cases, entire units are placed on top of ATMs, retail card readers, and gas pumps to help keep them safe.
Wired, wireless, and satellite communications are more than just an underpinning of modern life. They are the “enabling function” across most other sectors. Use access to the internet judiciously.
Tip: Keep your machine “clean” with current patches and updated anti-malware software. Making your machine secure helps make sure nefarious programs are not utilizing this resource to exhaustion.
Critical Manufacturing Sector
This sector is reliant on many others including transportation, energy, and information technology. The underlying risk is that anyone disruption will have ripple effects across other infrastructure areas. Make sure that you only use corporate assets for corporate business. Plugging unknown devices into a company machine can have severe consequences across corporate and third-party networks that are connected to that infrastructure.
Tip: Easily stop malware infection by forbidding the use of personal USBs plugged into corporate assets.
The private and public infrastructure of U.S. dams has obvious ties to energy and water infrastructures. Remember, systems are interconnected. Use each system for the specific purpose in which it is intended. For example, make sure that passwords and access to government portals and underlying subsystem control interfaces are protected.
Tip: Don’t utilize the same password across your personal and business accounts. If you do, and the password is compromised by a public portal, it can be used to access a private business portal. The attacker could gain access to more than just your email account. Based on your role within the organization, the hacker could have compromised the methods to affect the dam, its controls, and the safeguards of those who could be at potential risk.
Defense Industrial Base Sector
By the nature of this sector, the level of control and security protocols should prohibit any public influence. However, we can take a conservative, pessimistic mindset in terms of how we use technology.
Tip: Think about ways in which you can be a good cyber citizen. Opening an email that looks enticing can have detrimental consequences. Vigilance is required from all who utilize internet connected technologies.
Emergency Service Sector
Society is shifting to use social media as a method for emergency communications. Social media can be used for updates, alerts, and emergency warnings. The public responsibility is to utilize these technologies and updates judiciously. Remember, if it is on the internet, it is public. You have to guard your level of privacy. DHS' Emergency Services Sector Cybersecurity Best Practices
Tip: Although what to share online is a personal decision, be cautious. When we overshare we may be putting ourselves or others in jeopardy. Think before you post. “How can this information be used for harm?”
This sector is an underlying operational requirement for most other critical infrastructure. The energy industry carries specific risks and controls must be put into place in order to build resilience to a cyber-attack. One of the most important pieces is to approach cybersecurity training with an emphasis on understanding.
Tip: Make sure that you apply the rules to your everyday work practice and not another “training” that you already know. Speak up if you have ideas or recommendations on making training more accessible or aligned with your work stream.
Protecting our daily lives
From Critical Manufacturing to Emergency Services, people around the country rely on critical infrastructure for daily tasks like going to work and communicating with friends and family. All of us can take steps to reduce the risks to these essential systems and services. One way to learn more is by downloading the CIS Controls – free, prioritized cybersecurity guidance that helps organizations around the world improve their security posture.
Check out part 2 of this blog series.