Similar to IT Infrastructure, CI has its share of vulnerabilities in a much higher magnitude of impact which is difficult to address due to the proprietary nature of the hardware/OS, multi-vendor environment, legacy devices, and lack of documentation. There is the all-important human factor which influences the Cyber Security posture of a CI primarily through lack of awareness, and difficulties in understanding the paradigm shift of considering security as a business requirement rather than a non-functional requirement.
There are several security governance and operations issues which are attracting adversaries to exploit the CI, such as unpatched devices, 2-way communications on an air-gap network, no baseline security configurations, lack of monitoring and correlation etc. CIs should streamline their operations, categorize assets, define a risk score and outline an acceptable security posture to handle security threats, risks and vulnerabilities in such a way that there is no deviation.
The CI solution platform should address the issues mapping the solution to sector-specific value chain, applying global regulatory requirements and defining points of vulnerability to address known and unknown threat vectors. Cyber security for critical infrastructure should be broadly developed as per the roadmap shown in the illustration below.