The US Critical National Infrastructure (CNI) has experienced a surge of cyber-attacks in the past two years. The Colonial Pipeline incident is a fine example of how far-reaching the impact of these attacks can be. The employees working in these vertical industries are in danger of being targeted by threat actors, and therefore need to stay on top of their game to help prevent any unnecessary disasters.

In the President’s words

Every nation’s CNI is the backbone of society and the national economy. They provide energy to power our homes, schools, hospitals, businesses, and vehicles; maintain our ability to connect, and ensure that we have reliable access to safe drinking water.

“The cybersecurity threats posed to the systems that control and operate the critical infrastructure on which we all depend are among the most significant and growing issues confronting our Nation,” reads the Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.  “The degradation, destruction, or malfunction of systems that control this infrastructure could cause significant harm to the national and economic security of the United States.”

“Recent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cybercriminals,” says the Fact Sheet of the Executive Order on Improving the Nation’s Cybersecurity.

To raise awareness on the necessity to defend CNI, President Biden proclaimed November 2021 to be Critical Infrastructure Security and Resilience Month. In his statement, the President highlighted that “The threats against our critical infrastructure are increasingly complex and nuanced, and we all must be prepared to better protect ourselves from malicious actors threatening our cyber and physical security.  That means staying vigilant, investing in new security measures, being prepared to respond to threats, and collaborating more with our partners.”

What is the status of CNI security?

According to a study by Bridewell Consulting, “the vast majority (86%) of critical national infrastructure (CNI) organizations have experienced cyber-attacks on their operational technology (OT) and industrial control systems (ICS) in the past 12 months,” while “nearly a quarter (24%) have experienced more than 5 successful attacks.”

A key factor impacting the security posture of CNI facilities is the long lifecycles of OT systems. According to the Bridewell Consulting report, “a third (34%) rely on systems that are between 11-20 years old, while 79% use systems aged between six-20 years.”

The convergence of IT and OT technology and exposure of legacy OT systems to the internet is expanding the attack surface for CNI organizations. 84% of the survey respondents confirmed that their OT/ICS environments are accessible from corporate networks. Coupled with the increased sophistication of adversaries and the work-from-home trends, it is no wonder why attacks against CNI are growing in volume and impact.

A recent survey by Applied Risk and Ponemon Institute reveals the most common factors that keep the CNI leadership and security teams awake at night.

Figure 1: Image courtesy of Applied Risk.

What about the people factor?

People, processes, and technology are the pillars of any effective security program. However, without empowered people, or lacking people, the security foundation is destined to collapse. Despite the importance of people, CNI organizations admit they face critical shortcomings.

The Bridewell Consulting report indicates that “a third (32%) of CNI organizations have reduced their security budgets since the start of the COVID-19 pandemic, which has led to 85% of IT and security teams feeling growing pressure to improve cybersecurity controls for their OT/ICS environment.”

Under-resourced teams are only one side of the coin. The other challenging side is the lack of skills combined with the increasing responsibilities. In fact, “84% of CNI organizations believe they will be impacted by a critical cyber-skills shortage in the next three to five years.”

The Applied Risk survey findings highlight that lack of understanding of the risk (54%), lack of skilled personnel (51%), and insufficient resources (35%) are among the top pain points that make the management of CNI security difficult. Coupled with the use of unreliable manual processes (51%) and the lack of enabling technologies in the OT networks (59%) it is easy to understand why CNI organizations have become a favorite target of criminals and state adversaries.

Invest in your people

The answer to the above concerns and pain points is an investment. Not just in money or time. CNI organizations need to invest in building processes that are fit for the digital era, and they also need to invest in technology that will enable them to detect, isolate and respond promptly against attacks.

But above all, they need to empower their employees to be on top of security. Upskilling and reskilling your people is the best defense against the sophisticated tactics used by attackers. Criminals are no longer targeting technology, rather they target the people of the enterprise. Phishing attacks and impersonation attacks are the top vectors employed by attackers to find their way into the corporate network.

Bridewell Consulting notes in their recommendations that “Perhaps most worrying is the evident lack of cyber security skills that decision-makers openly admit will become a growing problem in the next five years despite many also stating they have the right skills in place. With lack of knowledge/skills, increase in responsibilities, and burnout identified as the top challenges facing security teams today, organizations will need to invest in improving cyber skills and resources.”

Applied Risk and Ponemon offer the same piece of advice: “More effort will be needed to develop the OT Security skill pool. There is a growing demand for professionals with OT Security skills. These do not all need to be OT Security specialists, but OT Security needs to be embedded in the profiles of managers, engineers, operators, procurement specialists, and others. Workforce development will be one of the most important means of achieving this goal.”

How ITEGRITI can help

ITEGRITI has an excellent, comprehensive set of programs designed to make your employees less likely to be the root cause of any potential incident. We perform background checks, personnel risk assessments (PRAs), provide end-user training, manage and report user training, and more. Our experience is our token of proof.

If you want to learn how ITEGRITI can help you empower your people, contact our experts.