The recent increase in the frequency and impact of cyber-attacks have kept Critical Infrastructure companies on their toes, fearing the worst for their organizations if an attack occurs on their critical infrastructure. A recent news article published by the New York Times states that cyber attacks are on the rise against corporations in the United States, with a particular focus on Energy companies. Reports of an attack similar to the Shamoon – Saudi Aramco attack are expected but the impact of such an attack in the United States would be of a magnitude much greater than Shamoon. These threats have made governments across the world wake up and take notice of Critical Infrastructure Protection as one of their highest priorities.
Why is Infrastructure Critical?
An infrastructure becomes critical when a disruption to this infrastructure results in irreversible and enormous loss (e.g. loss of life, environment etc.). The growing threat of international terrorism led policy makers to reconsider the definition of “infrastructure” in the context of specific non-functional requirements (NFR) of the business. These NFRs included Security, Performance, Availability, Integrity and Confidentiality (SPAIC). Each business has its own definition of SPAIC based on the regulatory requirements and country specific policies.
Critical Infrastructure is always associated with regulatory requirements and key resources who are directly handling the critical infrastructure. As such, any intentional or unintentional disruption to these will have a significant impact on the environment and life.
The following areas are considered to be a part of Critical Infrastructure:
There is an impending need for countries to develop a national critical infrastructure strategy which will provide a comprehensive and collaborative approach to enhance the resiliency of critical infrastructure. This common approach will enable partners to respond collectively to risks and target resources to the most vulnerable areas of critical infrastructure.
Guidelines to Defining a Successful Critical Infrastructure Protection (CIP) Strategy
Industry leaders suggest that the government and the private sector should collaborate to protect a nation’s critical infrastructure. This collaboration calls for the development of trusted partnerships to build regulatory requirements, governance processes, and resilience options jointly based on the existing mandates and responsibilities. The strategy should outline mechanisms to:
1. Create a government owned CIP Forum to share information about potential threats and disruptions through a highly confidential government owned body. Discussions in this forum should:
2. Create guidelines to protect critical assets and information
3. Build country specific risk frameworks for each critical infrastructure with guidelines to define asset criticality
4. Build a RACI (responsibility, accountability, consulted, informed) matrix
The Strategy should:
Actionizing the Strategy for a Safer Future
Level 1: Define Critical Infrastructure and Assets
Level 2: Build Partnerships
Level 3: Risk Management
Level 4: Regulate and Standardize the CIP Security
Cyber Security and Critical Infrastructure
Cyber security for critical infrastructure depends a lot on the sector to which the critical infrastructure belongs. Its objectives are:
Broadly, cyber security can be classified into the following components for all Sectors:
Illustration: Example of Industrial Control Systems Networks
Cyber security is becoming important for critical infrastructure due to the latest technology implementations like IP communications, BYOD policies etc. Similar to IT Infrastructure, Critical Infrastructure has its share of vulnerabilities that can’t be addressed due to the proprietary nature of the OS and hardware. These devices are not regularly patched as the hardware patch release cycle is adhoc or longer than software patches.
This being the problem statement, the critical infrastructure component becomes vulnerable to malwares, advanced persistent threats and service disruption. In general, ICS networks lack features like monitoring, metrics, analytics and intelligence to predict threats. The solution should be capable of handling known problems and zero day vulnerabilities.
Solution for securing Industrial Control Systems Networks
The solution platform should address the issues mapping the solution-to-sector specific value chain, applying global regulatory requirements and defining points of vulnerability to address known and unknown threat vectors.
Cyber Security Solution Roadmap
Cyber security for critical infrastructure should be broadly developed as per the roadmap shown in the illustration below
The level of maturity of a Cyber Security solution for CIP needs to progress through the stages shown in the illustration, gradually making the transformation from Core Security Services to Security Convergence and finally to Integrated Security Solutions – which involve predictive analytics and intelligence spanning business processes and architecture.
The implications of a Critical Infrastructure collapse are huge and need to be looked at from a long-term perspective. Close synergies between the government and the private sector need to be present to develop a comprehensive and robust strategy for thwarting off impending threats from politically motivated groups, cyber criminals and other such rogues. Steps should be taken to ensure CIP across all layers of CI Architecture, with components addressing business and operational processes, applications, data, communication, network and perimeter for IT and Operations Technology Network.
Saritha Auti, Practice Head - Enterprise Security Solutions, Wipro
Saritha has over 17 years of experience in Enterprise Security & Architecture, spanning a wide gamut across product development, application security, systems integration, Enterprise Architecture and security architecture consulting. She heads Enterprise Security Architecture and Industrial Security Practice for Wipro with specific focus on Critical Infrastructure Security. She has devised several security solutions and architecture strategy for Oil & Gas, Telecom, Financial Sectors, Utilities, Defense, and has lead Security Architecture transformation programs. Apart from technology she is an ardent trekker, culture enthusiast and loves connecting with people.