\u201cRecent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cybercriminals,\u201d says the Fact Sheet<\/a> of the Executive Order on Improving the Nation\u2019s Cybersecurity<\/a>.<\/p>\n To raise awareness on the necessity to defend CNI, President Biden proclaimed November 2021 to be Critical Infrastructure Security and Resilience Month<\/a>. In his statement, the President highlighted that \u201cThe threats against our critical infrastructure are increasingly complex and nuanced, and we all must be prepared to better protect ourselves from malicious actors threatening our cyber and physical security.\u00a0 That means staying vigilant, investing in new security measures, being prepared to respond to threats, and collaborating more with our partners.\u201d<\/p>\n According to a study by Bridewell Consulting<\/a>, \u201cthe vast majority (86%) of critical national infrastructure (CNI) organizations have experienced cyber-attacks on their operational technology (OT) and industrial control systems (ICS) in the past 12 months,\u201d while \u201cnearly a quarter (24%) have experienced more than 5 successful attacks.\u201d<\/p>\n A key factor impacting the security posture of CNI facilities is the long lifecycles of OT systems. According to the Bridewell Consulting report, \u201ca third (34%) rely on systems that are between 11-20 years old, while 79% use systems aged between six-20 years.\u201d<\/p>\n The convergence of IT and OT technology and exposure of legacy OT systems to the internet is expanding the attack surface for CNI organizations. 84% of the survey respondents confirmed that their OT\/ICS environments are accessible from corporate networks. Coupled with the increased sophistication of adversaries and the work-from-home trends, it is no wonder why attacks against CNI are growing in volume and impact.<\/p>\n A recent survey by Applied Risk and Ponemon Institute<\/a> reveals the most common factors that keep the CNI leadership and security teams awake at night.<\/p>\n Figure 1: Image courtesy of Applied Risk.<\/em><\/p>\n People, processes, and technology are the pillars of any effective security program. However, without empowered people, or lacking people, the security foundation is destined to collapse. Despite the importance of people, CNI organizations admit they face critical shortcomings.<\/p>\n The Bridewell Consulting report indicates that \u201ca third (32%) of CNI organizations have reduced their security budgets since the start of the COVID-19 pandemic, which has led to 85% of IT and security teams feeling growing pressure to improve cybersecurity controls for their OT\/ICS environment.\u201d<\/p>\n Under-resourced teams are only one side of the coin. The other challenging side is the lack of skills combined with the increasing responsibilities. In fact, \u201c84% of CNI organizations believe they will be impacted by a critical cyber-skills shortage in the next three to five years.\u201d<\/p>\n The Applied Risk survey findings highlight that lack of understanding of the risk (54%), lack of skilled personnel (51%), and insufficient resources (35%) are among the top pain points that make the management of CNI security difficult. Coupled with the use of unreliable manual processes (51%) and the lack of enabling technologies in the OT networks (59%) it is easy to understand why CNI organizations have become a favorite target of criminals and state adversaries.<\/p>\n The answer to the above concerns and pain points is an investment. Not just in money or time. CNI organizations need to invest in building processes that are fit for the digital era, and they also need to invest in technology that will enable them to detect, isolate and respond promptly against attacks.<\/p>\n But above all, they need to empower their employees to be on top of security. Upskilling and reskilling your people is the best defense against the sophisticated tactics used by attackers. Criminals are no longer targeting technology, rather they target the people of the enterprise. Phishing attacks and impersonation attacks are the top vectors employed by attackers to find their way into the corporate network.<\/p>\n Bridewell Consulting notes in their recommendations that \u201cPerhaps most worrying is the evident lack of cyber security skills that decision-makers openly admit will become a growing problem in the next five years despite many also stating they have the right skills in place. With lack of knowledge\/skills, increase in responsibilities, and burnout identified as the top challenges facing security teams today, organizations will need to invest in improving cyber skills and resources.\u201d<\/p>\n Applied Risk and Ponemon offer the same piece of advice: \u201cMore effort will be needed to develop the OT Security skill pool. There is a growing demand for professionals with OT Security skills. These do not all need to be OT Security specialists, but OT Security needs to be embedded in the profiles of managers, engineers, operators, procurement specialists, and others. Workforce development will be one of the most important means of achieving this goal.\u201d<\/p>\n ITEGRITI has an excellent, comprehensive set of programs<\/a> designed to make your employees less likely to be the root cause of any potential incident. We perform background checks, personnel risk assessments (PRAs), provide end-user training, manage and report user training, and more. Our experience<\/a> is our token of proof.<\/p>\nWhat is the status of CNI security?<\/h2>\n
![\"\"](\"https:\/\/itegriti.com\/staging\/wp-content\/uploads\/2022\/01\/itegriti_blog76_image1-1880x1280.jpg\")
<\/p>\nWhat about the people factor?<\/h2>\n
Invest in your people<\/h2>\n
How ITEGRITI can help<\/h2>\n