Cybersecurity for critical infrastructure protection

Cyber risk concerns around critical infrastructure

​Cyberattacks on critical infrastructure have grown increasingly sophisticated—and effective. For financial, political, or military gain, recent attacks were responsible for shutting down Ukraine’s power grid, “self-destruction” of centrifuges in a uranium-enrichment plant in Iran, holding a Los Angeles hospital’s medical records for ransom, and infiltration of email and fare-collecting systems for San Francisco public transit.

To date, damages have been limited to financial loss, inconvenience, and negative publicity, but cyberattacks on critical infrastructure clearly have the potential to pose serious problems, from service disruption to physical threat to human lives.

Back to top

State critical infrastructure protection should address cyber threats

States have cybersecurity programs focused on citizen data protection and often separate programs to protect critical infrastructure. Cybersecurity specifically for critical infrastructure is a missing piece that poses an increasingly urgent risk.

Cyberattacks present unique challenges:

• Cyber threats lack distinct borders.
• The tactics and technologies are constantly evolving.
• Both public and private sector entities manage critical infrastructure at risk for cyberattack, requiring a coordinated effort and information-sharing processes that currently do not formally exist in many states.

As guardians of public safety, state leaders are expected to identify, protect, detect, respond, and recover swiftly and effectively from any attack on critical infrastructure to reduce damage and restore security. Currently, most critical infrastructure protection programs only address physical threats, leaving states vulnerable to cyber threats ranging from service disruption to public safety concerns.

States need to expand their risk mindset to include cyber risks and lead a statewide, public-private collaboration focused on sharing information, raising awareness of roles that all groups involved should play, and establishing a unified response to cyberattacks on critical infrastructure.

Building an effective program will require time, commitment, and close cooperation between public and private entities, as well as interstate and federal agencies, including:

• Leadership support at the highest level of state government to secure funding and broad engagement; ideally, sponsored and driven by the Governor’s office
• State-led coordination of public and private entities, including developing a framework approach for guiding practices to establish open communications, leverage strengths, define roles and responsibilities, fill skills and resource gaps, and help teams work together effectively to deter, detect, and initiate an effective response to cyberattacks. This can also help identify commonalities across critical infrastructure components. The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) Core Elements can be leveraged as a guide for looking at the critical elements (www.nist.gov/cyberframework/csf-reference-tool).
• A state agency serving as an information-sharing engine for all entities involved and providing access to services that specifically support a strengthened cybersecurity posture for critical infrastructure
• Ongoing cooperation between diverse, dispersed groups, including many that have not worked together in the past: IT cybersecurity specialists dedicated to individual state agencies; emergency management and law enforcement teams responsible for on-the-ground response to critical infrastructure emergencies; private sector cybersecurity and disaster response teams; and other entities responsible for securing critical infrastructure
• Utilization and coordination with federal partners such as Department of Homeland Security (DHS) Physical Security Advisors, DHS Cybersecurity Advisors, and liaisons from cybersecurity agencies such as the National Cybersecurity and Communication Integration Center
• A point of contact within the state tasked with contributing to existing federal databases and leveraging existing information to conduct more well-informed risk assessments on critical infrastructure in the state

Back to top

New mindset for managing critical infrastructure cybersecurity

With cyberattacks on critical infrastructure of increasing concern and rising severity, states need to view hiring and training of cybersecurity resources through a new lens. In addition to technical skills, an effective program will require leaders who can encourage strong public-private collaboration and open information exchange.

In particular, private sector entities should be able to share sensitive information about potential vulnerabilities around their ability to protect critical infrastructure without fear of reprisal or concern that the information will be made public. New skill combinations will also be essential.

Cybersecurity specialists and teams responsible for critical infrastructure will need to consult with each other and expand their skillsets to develop a complete, accurate picture of vulnerabilities, issue severity, and possible impacts. For example, to accurately reflect risk exposure and protect the power grid from cyberattack, states will need combined expertise in cyber and the cascading impacts of destabilizing the physical power stations.

An effective program will require a team with the skills to establish:

• Strong relationships with private sector and federal partners 
• Well-defined roles and responsibilities and consistent and informed communications
• Mechanisms to present and receive feedback, raise awareness, support information exchange, and promote action
• Cybersecurity risk analysis and prioritization in the event of a disruption of service or physical harm to citizens
• An operational plan to share and maintain cybersecurity information
• Training and coordination for multi-disciplined response teams—search and rescue, emergency medical support, IT cybersecurity specialists, as well as leaders in the public and private sectors
• Initial and ongoing requirements for equipment and software

Each state will need to assess existing resources and begin training to fill skill and information gaps.

Back to top

Getting started: Understanding the state of your state

Building a cybersecurity critical infrastructure program takes time, careful planning, and ongoing support from the state’s governor, state and federal agencies, and public and private entities overseeing critical infrastructure. The first step is helping key players in government understand the severity, urgency, and potential impacts of the issue and the need to take immediate action.

From there, the process is about assessing potential exposure.

• Are the right people aware that this is an issue?
• Who is responsible for managing the risk?
• Do we know our attack footprint?
• What are we doing to address the issue and manage it going forward?

Once a basic understanding of potential exposure is developed, states can begin to move forward on a plan for bringing the right people and skills together to build a successful program.

Back to top

What's next?

State leaders are best positioned to understand critical infrastructure risks within their state and develop programs to help mitigate and respond effectively to the wide variety of cyber threats they might face. However, to be successful, states will need to cultivate the skills, culture, and mindset for public-private collaboration on critical infrastructure protection programs that cover cybersecurity effectively.

Back to top

Defining critical infrastructure

​The US Department of Homeland Security defines critical infrastructure as “the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”¹

Presidential Policy Directive 21, Critical Infrastructure Security and Resilience, identifies 16 critical infrastructure sectors.²

State cybersecurity programs should reflect the specific vulnerabilities of any critical infrastructure the state relies on for public health, safety, and prosperity.

¹ US Department of Homeland Security, “What is Critical Infrastructure?” Last published October 14, 2016, https://www.dhs.gov/what-critical-infrastructure.

² The White House, Presidential Policy Directive 21 (PPD-21), “Presidential Policy Directive—Critical Infrastructure Security and Resilience,” February 12, 2013, https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil.

Back to top

Cybersecurity in the news

Increasingly sophisticated cyberattacks on critical infrastructure have placed governments worldwide on high alert. Some of the more noteworthy attacks:

SF’s transit hack could’ve been way worse—and cities must prepare
Source: Wired | November 28, 2016

Cyberattack on Ukraine power grid
Source: Wired | March 3, 2016

Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating
Source: LA Times | February 18, 2016

The real story of Stuxnet
Source: IEEE Spectrum | February 26, 2013

Back to top

Further reading

Executive order expected on cybersecurity: Jose Pagliery, “Big changes in Trump's cybersecurity executive order,” CNN, January 31, 2017.

Time Person of the Year 2016 No. 3: The Hackers. Matt Vella, “They made vulnerability the new normal and took aim at democracy itself,” Time magazine.

Department of Homeland Security 2013 report on improving cybersecurity for critical infrastructure.

National Institute of Standards and Technology (NIST) framework for improving cybersecurity for critical infrastructure.

Back to top