How you can do your part to protect mission-critical assets and services
By Kamil Karmali, Global Commercial Manager, Cybersecurity, Rockwell Automation
The Cybersecurity and Infrastructure Security Agency (CISA) describes critical infrastructure as the essential systems and services that are the foundation of American society. They are so vital to our country that if incapacitated or destroyed, there would be disastrous consequences for public health, physical safety or economic security.
Our critical infrastructure includes highways, connecting bridges and tunnels, railways, utilities like water and electricity, food supply, healthcare infrastructure, buildings and related services, according to the Department of Homeland Security (DHS). Our economic survival and daily lives rely on these vital systems.
CISA was created to bolster cybersecurity and reduce critical infrastructure vulnerabilities in the U.S. CISA works with businesses, communities, and governments to enhance the country’s defenses in key sectors, making them more resilient to cyber and physical threats.
Spotlight on securing our nation’s critical infrastructure
In May 2021, President Biden signed an Executive Order with the goal of improving and modernizing our nation’s cybersecurity posture, especially for critical infrastructure.
The White House fact sheet about the executive order states: “Much of our domestic critical infrastructure is owned and operated by the private sector, and those private sector companies make their own determination regarding cybersecurity investments. We encourage private sector companies to follow the Federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.”
A few of the ways the Executive Order will strengthen cybersecurity for our nation’s critical infrastructure include:
- Requiring providers to share breach information that could impact Government networks.
- Establishing a Cybersecurity Safety Review Board to analyze cyber incidents and make concrete recommendations for improvement.
- Creating a standardized playbook for cyber incident response so federal departments can take uniform steps to identify and mitigate a threat. The playbook will also provide the private sector with a template for its response efforts.
Both public and private sector entities are facing alarmingly sophisticated and malicious cyber activity along with a vast increase in less complex attacks like phishing which also can be crippling if not detected.
Steps to critical infrastructure cybersecurity protection
Analysts at ARC Advisory Group recently reviewed requirements for securing critical OT systems. Their subsequent report included the following core recommendations for industrial companies:
- Review OT cybersecurity strategies to confirm that the basics are covered and deliver confidence that your organization can address sophisticated attacks. How frequently are installed base inventories assessed, for example? What detection, mitigation and backup/recovery systems are designed?
- Is cyber awareness training provided to all employees? What physical or product security steps have been implemented at the controller and device levels?
- Confirm that digital transformation efforts include adequate security from the start to reduce risks related to Internet of Things (IoT) devices, cloud services, remote workers, supply chains and third-party systems. Consider third parties to fill gaps in cybersecurity expertise. Cybersecurity talent is in notoriously short supply worldwide. It’s imperative to deploy effective infrastructure security solutions quickly and accurately and consulting firms with this expertise can provide expertise, saving an enormous amount of wasted effort and cost.
Public and private organizations must move urgently to address and close cybersecurity gaps in critical infrastructure industries.
Grant funding to be made available
Congress passed a bipartisan $1 trillion infrastructure bill in November 2021. Part of the infrastructure bill will provide billions of dollars in funding to CISA, the Environmental Protection Agency (EPA) and the Federal Emergency Management Agency (FEMA). All funding will be used for services and grants that help protect the country’s critical infrastructure services, including at state and local government levels.
For example, there are provisions to help electric grids and water/wastewater systems strengthen their defenses against ransomware and other cyberattacks. Grants also support needed steps in an approved cybersecurity plan submission, like performing vulnerability assessments, malware analysis, or threat detection.
To be eligible for a grant, a cybersecurity plan must be submitted to the DHS for review, detailing technical capabilities and protocols for detecting and responding to cyberattacks. The plan would be required to meet certain baseline standards. (More information will be provided when published). Rockwell Automation’s cybersecurity assessment and planning protocols, based on the NIST framework for effective cybersecurity with categories of Identify, Protect, Detect, Respond and Recover, would be a logical way to begin.
Critical infrastructure cybersecurity: a civic responsibility
Clearly, it’s time for both governments and private entities to reduce cybersecurity risk in critical infrastructure operations. The only roadblock is delaying action.
About the Author
Kamil Karmali serves as the Global Commercial Manager for the Rockwell Automation Global Services organization. He has more than 15 years of experience in cross-functional team leadership, sales management, talent development and executive consulting in industrial IoT and manufacturing technology.
Rockwell Automation, Inc. (NYSE: ROK), is a global leader in industrial automation and digital transformation. We connect the imaginations of people with the potential of technology to expand what is humanly possible, making the world more productive and more sustainable. Headquartered in Milwaukee, Wisconsin, Rockwell Automation employs approximately 25,000 problem solvers dedicated to our customers in more than 100 countries. To learn more about how we are bringing the Connected Enterprise to life across industrial enterprises, visit www.rockwellautomation.com.