May | 2014
There is growing unrest among companies regarding the safety of their sensitive data. Importance of securing sensitive data increases multifold when a company is part of the Critical Infrastructure (CI). Few points to ponder about existing security measures and the architecture are - how to classify which data is sensitive? What to secure and what level of security is "appropriate" to secure the critical infrastructure without spending millions of dollars protecting "not so critical" infrastructure?
Governments across the world are waking up and taking notice of Critical Infrastructure Protection (CIP) as one of the highest priorities. With growing threats and attacks targeted at Critical infrastructure companies, there is an impending need for countries to develop a national critical infrastructure strategy which will provide a comprehensive and collaborative approach to enhance the resiliency of critical infrastructure. This common approach will enable stakeholders to respond collectively to risks and concentrate on safeguarding the most vulnerable areas of CI.
It is recommended that the government and the private sector should collaborate to protect a nation’s critical infrastructure. This collaboration calls for the development of trusted partnerships to build regulatory requirements, governance processes, and resilience frameworks jointly based on existing mandates and responsibilities. The figure below explains what the strategy should help achieve.
Similar to IT Infrastructure, CI has its share of vulnerabilities in a much higher magnitude of impact which is difficult to address due to the proprietary nature of the hardware/OS, multi-vendor environment, legacy devices, and lack of documentation. There is the all-important human factor which influences the Cyber Security posture of a CI primarily through lack of awareness, and difficulties in understanding the paradigm shift of considering security as a business requirement rather than a non-functional requirement.
There are several security governance and operations issues which are attracting adversaries to exploit the CI, such as unpatched devices, 2-way communications on an air-gap network, no baseline security configurations, lack of monitoring and correlation etc. CIs should streamline their operations, categorize assets, define a risk score and outline an acceptable security posture to handle security threats, risks and vulnerabilities in such a way that there is no deviation.
The CI solution platform should address the issues mapping the solution to sector-specific value chain, applying global regulatory requirements and defining points of vulnerability to address known and unknown threat vectors. Cyber security for critical infrastructure should be broadly developed as per the roadmap shown in the illustration below.
The implications of a CI collapse are huge and need to be looked at from a long-term perspective. Close synergies between the government and the private sector need to be present to develop a comprehensive and robust strategy for thwarting off impending threats from politically motivated groups, cyber criminals and other such rogues. Steps should be taken to ensure CIP across all layers of CI Architecture, with components addressing business and operational processes, applications, data, communication, network and perimeter for IT and Operations Technology Network.
What are your views? Do write in.
© 2021 Wipro Limited |
|
© 2021 Wipro Limited |
Digital Operations and Platforms
Engineering, Construction & Operations
Pharmaceutical & Life Sciences