Critical Infrastructure and Public Protection Strategies: Part 2
By Sean Atkinson, Chief Information Security Officer
Critical infrastructure runs through multiple facets of our daily lives, supporting everything from financial transactions to healthcare services. In this blog post, we’ll examine some of the sectors of critical infrastructure and provide tips to help secure each sector.
Financial Services Sector
Monetary infrastructure is a sector of extreme risk and volatility. It requires us to be cognizant of our own cyber practices. It is these practices that can lead us to divulge information to cyber criminals. This information can cause us to become victims to fraud like losing money or having false tax filing issued against us.
Tip: If you are a victim, own up to it and make sure it is reported. Learn what to do when you're a victim of a sector-specific scam.
Food and Agriculture Sector
As a consumer-based sector, this becomes a risk when certain health claims are made and advertised online or through email. Due diligence is required in this space. This sector has huge risks in social engineering and consumable products. These risks are not in your best interest both from a cybersecurity perspective and also for your physical health.
Tip: Make sure that you are using reputable merchants and that website security safeguards such as HTTPS are in place. This guide will help you be aware of the methods of delivering these scams.
Government Facilities Sector
The government property and facilities sector encompass an enormous number of physical assets. Schools, government buildings, and national monuments are part of this sector. Another major part is elections infrastructure, covered by the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC). CIS, home to the EI-ISAC, takes great pride in providing best practices for U.S. government officials to secure the elections infrastructure.
Tip: For the general voting public, specific security protocols and awareness can assist in making sure your information is kept secure. Be cautious of emails and social media posts about voting or re-registering. Any site that requests or demands that you enter information to register or re-register to vote should be considered suspicious.
Healthcare and Public Health Sector
Access to Personal Health Information (PHI) is necessary for healthcare workers to provide quality care to patients. Access to this data must be controlled with specific regard to how it is shared. It must be considered highly confidential and any dissemination of it should be secure and appropriate.
Tip: Data should be shared on a “need to know” basis. When employees distribute healthcare information, they should ensure:
• that they have permission to send the information, and
• that the recipient is aware of their responsibility to ensure confidentiality is maintained once they receive this information.
CIS Control™ 14 and its sub-controls help users understand data management based on the need to know.
Information Technology Sector
The critical sector that defines the 21st century is the internet. Internet access is a great tool, but it is important to remember that those with nefarious intent also have access. It is our responsibility to make sure that such activity is thwarted. Where possible, we should minimize threat surfaces by making systems more difficult for attackers to access.
Tip: One item for consideration is the default account and passwords that are supplied with IoT and networking devices. Once installed, users should change the default setting to a higher level of security. The CIS Benchmarks™ provide excellent guidance for many technologies to help ensure that the default credentials are changed.
Nuclear Reactors, Materials and Waste Sector
This sector has multiple security implications within the space of critical infrastructure. Employee training and preparedness is tested among multiple stakeholder groups to provide assurance and minimize risk. One helpful item that we can take from these types of exercises is to establish a formal incident response plan. Whether for a business, a supply chain, or as an individual, having a step-by-step assessment guide to walk through actions is key. It can help reduce the impact of an incident and minimize its overall detrimental effect on “normal” operations.
Tip: Create a formal guide that is trained and tested, or develop red team exercises that issue alerts. Some response activities may be automatically enabled when certain conditions or thresholds are reached.
For individuals, planning might include monitoring for personal breaches and changing passwords regularly. Make sure to check credit scores and have your financial information at hand to respond to any incident.
Travel and transport are the concerns in this space. Be cautious not only of your surroundings but of the things you are physically carrying with you.
Tip: Keep your devices with you at all times. Make sure that you physically secure the devices. Also secure them logically; apply encryption software to your hard drive as a security precaution. This will maintain the confidentiality of your data. It will also preserve its integrity so it won’t be altered or accessed if it is out of your possession.
Water and Wastewater Systems Sector
The final critical infrastructure area touches water supply systems. There is specific criteria defined by the Environmental Protection Agency (EPA) and cybersecurity guidance provided for states.
This criteria defines initiating a program as the hardest part of minimizing risk and applying appropriate controls. One strong starting point would be the CIS Controls, a prioritized list of security steps that are essential to cyber resilience.
Tip: Personnel may believe they do not have the specialized skills to use cybersecurity controls effectively. This is not the case. Anyone can start with a risk-based approach that takes into account the targets an adversary is most likely to seek. The above URL from the EPA provides a 16-point checklist. When used in combination with the CIS Controls, you can start to build the resilience required to protect our critical infrastructure.
US-Cert Resource - Tips for the Public
Securing our future
Although each critical infrastructure sector has its own unique risks and challenges, many of the technical vulnerabilities are shared. The CIS Benchmarks are configuration guidelines for securing servers, operating systems, software, and more. When applied to a system, the CIS Benchmarks can help reduce cybersecurity risks and protect against attacks.
Check out part 1 of this blog series.