What Is Critical Infrastructure? Why Does Critical Infrastructure Security Matter?

What Is Critical Infrastructure?

Critical infrastructure includes all of the assets, systems and networks – physical and virtual – that are essential to the proper functioning of a society’s economy, national public health or safety, security, or any combination of the above. Critical infrastructure includes food and agriculture sectors, transportation systems (e.g., roads, railways, highways, airports), water supply (e.g., drinking water, waste water/sewage), internet and mobile networks, public health (e.g., hospitals, ambulances), energy (oil and gas), electric utilities, financial services, telecommunications, defense, and more. Although critical infrastructure is similar across all nations due to basic living needs, the infrastructure considered critical can vary according to a nation’s unique needs, resources and level of development. In the U.S., this physical and cyber infrastructure is typically owned and operated by the private sector, though some is owned by federal, state or local governments. 

Why Does Critical Infrastructure Security Matter?

Critical infrastructure often encompasses industrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems, which are used to automate industrial processes in critical infrastructure industries. Attacks against SCADA and other industrial control systems are serious concerns. They have the potential to create wide-scale compromise in vital systems, such as transportation, oil and gas supply, electrical grids, water distribution, and wastewater collection. The connections and interdependencies between infrastructure systems and sectors mean that, if one or more functions fail or experiences a blackout, there can be an immediate, negative impact on multiple sectors. In May 2021, cybercriminals breached the Colonial Pipeline Co., which controls nearly half the gasoline, jet fuel and diesel flowing along the East Coast. Using a compromised password, the hackers took down the largest fuel pipeline in the U.S., leading to shortages across the East Coast.

The threat of crippling cyberattacks against industrial control systems has financial implications as well. According to Gartner, in large manufacturing, oil and gas organizations, the average cost of a downtime per minute can be anywhere between $5,000 to $10,000. Cybercriminals have learned they can extract substantial ransoms from their victims, and nation-states can more effectively bully rival countries with demonstrations of their cyberwarfare capabilities. The Colonial Pipeline and JBS USA Holdings Inc. attacks together resulted in $15 million in paid ransom. Not only are attackers increasingly going after critical infrastructure (CI) and operational technology (OT), but also investing more in improving their capabilities to compromise these organizations.

How Governments Are Approaching Defending Vital Systems

Governments and the agencies responsible for critical infrastructure are evolving to meet cyber risks as well as diverse needs for more data for more users – residents, patients, students and contractors – in more places than ever. For example, the recent Colonial Pipeline ransomware attack prompted U.S. President Biden to sign an executive order instructing the U.S. federal government to bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises or hybrid.

“Smart Government” initiatives are driving innovative approaches to how governments can make use of data from more constituents, and smart sensors are changing the way militaries use real-time data from far afield. These realities are driving a new way of operating that must also include new cybersecurity considerations. For example, in 2018 the Australian Signals Directorate (ASD) issued “Strategies to Mitigate Cyber Security Incidents” guidelines to help Australia’s critical infrastructure and other organizations protect the nation’s digital assets. These strategies are born from governments’ observations and experiences while responding to cybersecurity incidents and testing their security posture.

Challenges to Securing Control Systems in Critical Infrastructure

SCADA and industrial control systems have undergone dramatic transformations in recent decades. What once was a collection of isolated, proprietary systems based on serial protocols are now highly interconnected systems that leverage the internet protocol and commercial off-the-shelf solutions to optimize operations and reduce costs. While the business benefits of this integration of information technology (IT) and operational technology (OT) have been many, the modernization has also increased the risk of cyberthreats compromising the availability of the process and well-being of personnel, citizens, economies and the environment. This factor, combined with rising threat and regulatory landscapes, has increased the burden for organizations trying to secure their critical infrastructure. Some of these challenges include:

• Gaining granular visibility over operational network traffic at the application and user levels to validate proper or anomalous use.

• Segmenting networks with sufficient access controls to limit extraneous and internal attack vectors while meeting stringent performance requirements, such as ISA 62443. 

• Protecting unpatched commercial off-the-shelf (COTS) systems from known cyberthreats and reducing downtime due to cyber incidents or patching.

• Preventing advanced cyberattacks, which utilize zero-day methods to disrupt production, compromise information integrity or exfiltrate intellectual property.

• Managing disjointed, distributed network and endpoint security products.

• Securing unmanaged, unsecured IoT and connected devices.

• Complying with regulations such as NERC CIP, TSA Security Directives and NIST CSF as well as efficiently providing information for audits.

• Insuring operations and security of remote outside plant environments with security solutions ruggedized and compliant for a wide range extreme conditions.

To effectively protect today’s SCADA and ICS networks in critical infrastructure, a modernized security approach is necessary. To learn how Palo Alto Networks helps operators of ICS and SCADA systems around the world protect their brands and process control environment operations, download Security Reference Blueprint for Industrial Control Systems.

Recommended reading:

• Security Reference Blueprint for Industrial Control Systems White Paper
• ICS & SCADA
• Palo Alto Networks and Siemens Partner to Protect Critical Infrastructure