Critical Infrastructure Sectors Protection Practices
Millions around the United States rely on critical infrastructure to live safely and securely. Critical infrastructure refers to systems that have major financial, defense, public safety, and health implications. This infrastructure is used to maintain the flow of crucial services, goods, or information; it is typically administered by the federal government or regulated closely in coordination with state governments and business leaders.
Although there are many forms of critical infrastructure, they are all alike in that any disruption could result in health and safety hazards for a large population. Examples include direct contamination or injury due to damage to a chemical plant, and the impact on societal welfare from a data breach affecting financial markets. As the world has become an increasingly networked place, critical infrastructure has come to depend on information technology.
An Overview of Critical Infrastructure
Critical infrastructure may sound like a monolithic term, but it can actually be found distributed throughout all the states and territories of the U.S. in many forms. Some are concentrated in certain areas, while others are distributed more or less evenly. Critical infrastructure sectors that have seen a pronounced focus on information technology include:
Information Technology Sector
Business, governments, institutions of learning, and individuals are all deeply dependent upon information technology. Major points of vulnerability within the system include:
- Developers and distributors of hardware and software
- Network operators
- Providers of virtualized and distributed cloud network functions
In contrast to the information technology sector, the government designates the communication sector as terrestrial, satellite, and wireless voice systems. It is crucial since it provides an enabling function that allows all other infrastructure to perform and coordinate. It is closely involved with energy, information technology, financial services, and emergency services.
The energy sector includes all functions related to electricity, oil, and natural gas. This includes over 6,400 power plants. Twenty percent of all U.S. energy generation happens through nuclear power, which represents a large risk in the critical infrastructure network. Outside of these facilities, conventional oil and gas pipelines are also considered highly vulnerable.
Financial Services Sector
Although many sectors of critical infrastructure have the potential to wreak an enormous human toll if they fall prey to cyber-attacks, a major attack on the financial services sector would have large-scale repercussions almost instantly. More than 18,000 U.S.-based institutions are covered by Federal Deposit Insurance Corporation (FDIC) insurance; there are also more than 18,000 broker-dealers and almost 8,000 private insurers. Repercussions for an attack of this kind could cause global issues, because of the international relationships and partnerships American institutions have with others around the world.
Healthcare and Public Health Sector
The ability of the U.S. to respond to bioterrorism attacks, infectious diseases, or natural disasters is largely dependent on the healthcare and public health sector. The sector provides life-saving services across all other segments of society, and is uniquely dependent upon related sectors to function, such as communications, transportation, emergency functions, and energy.
Security Best Practices in Critical Infrastructure
Security standards in critical infrastructure are very strict. Even though each sector has its own unique needs, federal agencies, such as the Department of Homeland Security, have developed best practices that all can hold in common. Among these best practices is a national information security framework consisting of core tasks:
- Identify: Develop the capacity to manage risk to systems, assets, data, and organizations.
- Protect: Implement the right security safeguards to ensure delivery of critical services.
- Detect: Implement the activities to recognize when a cyber security event has occurred.
- Respond: Have plans in place to take action on, limit, and resolve the detected threats.
- Recover: Restore any services impaired by the event and capture lessons learned.
This framework informs all cyber security practices and platforms within critical infrastructure sectors. The overall goal of the framework is to produce security process maturity within key organizations so that they can efficiently and effectively perform all five core functions.
To help an organization that has no existing personnel, processes, or investments develop security competency, a team of information security experts leads the organization through four tiers of change defined by the National Institute of Standards and Technology. Information security professionals should be prepared to operate within any of the four tiers and consistently perform in ways that foster progress to more advanced tiers.
The tiers include:
Tier 1: Partial Security Awareness
This tier is characterized by ad hoc security processes which may not be fully documented. Organizations in Tier 1 face disproportionate risk, because they may not have formalized key operational processes related to evaluating, mitigating, and responding to risk. Processes must be formalized and internal threat awareness developed to proceed to a baseline level of security consistent with the goals of critical infrastructure enterprises.
Tier 2: Risk-Informed
In this tier, an individual or team owns information security risk, and major practices, policies, or processes are approved by management. However, awareness of information security threats at the organizational level may remain low, lacking an organization-wide risk mitigation or threat response approach. The organization may have developed rudimentary capabilities for receiving information from external organizations, but has limited capacity to share data.
Tier 3: Repeatable
At this level, formal information security procedures have been adopted and communicated as documented policy. Practices are updated as necessitated by changes in technology or the threat environment. Some level of redundancy helps to ensure a flexible and appropriate response in a crisis. The operational requirements of threat management are distributed throughout the whole enterprise and involved personnel are aware of their responsibilities.
Tier 4: Adaptive
Tier 4 organizations not only have clear, comprehensive policies in place, but manage threats proactively by using lessons learned from previous threat events or predictive indicators established with external organizations. Enterprises at this level have developed clear links for bilateral sharing of threat data with the relevant experts, agencies, and companies in their sector. Their information security processes as a whole are characterized by a proactive, rather than reactive, approach.
No matter what an organization’s level of security process maturity is, it can benefit from implementing leading-edge security best practices such as two-factor authentication, formal decommissioning processes for outdated computer hardware, high-level encryption, network endpoint monitoring, patch management, and using simulations to test crisis response.
As the nation’s oldest private military college, Norwich University has been a leader in innovative education since 1819. Through its online programs, Norwich delivers relevant and applicable curricula that allow its students to make a positive impact on their places of work and their communities.
At Norwich University, we extend a tradition of values-based education, where structured, disciplined, and rigorous studies create a challenging and rewarding experience. Online programs, such as the Master of Science in Information Security & Assurance, have made our comprehensive curriculum available to more students than ever before.
Norwich University has been designated as a Center for Academic Excellence in Cyber Defense Education by the National Security Agency and Department of Homeland Security. Through your program, you can choose from the five unique concentrations that are uniquely designed to provide an in-depth examination of policies, procedures, and overall structure of an information assurance program.