The Increasing Threat to Private Sector Networks
The modern world heavily relies on the private sector’s utility, telecom, banking, transportation, and medical networks, which have become integral to our physical, mental, and economic well-being. However, these networks are facing an unprecedented threat from state actors. The recent unclassified summary of the Department of Defense’s cybersecurity strategy highlights the danger posed by China, stating that they steal technology secrets and aim to undermine the defense industrial base. Furthermore, in the event of conflict, China is likely to launch destructive cyber attacks against the United States, including critical infrastructure services such as oil and gas pipelines and rail systems.
The Director of National Intelligence’s assessment further emphasizes that China has the capability to disrupt critical infrastructure within the United States. Given this clear threat from near-peer competitors, it is imperative for organizations to adopt measures to safeguard their networks.
Cultivating Visibility and Rigor in Network Intersections
While some parts of networks need to be more secure than others, total segmentation is ultimately a myth. Companies now require the power of big data analytics and integration with internet-connected financial systems to effectively operate their businesses. A sound approach to risk management lies in cultivating visibility and rigor around the areas where networks overlap.
The United States government has implemented measures to address this issue by establishing cross-domain systems, responsible for connecting classified and unclassified networks, as vital national security systems that require centralized visibility. Organizations can follow suit by managing risk consistently and avoiding unique, yet unvetted, solutions to bridge protected enclaves and broader networks. This can be achieved by establishing centralized points of visibility within organizations and promoting information sharing and analysis centers (ISACs) or collaborative networks at an industry level.
Protecting the Critical Enterprise Along With Critical Infrastructure
While critical infrastructure organizations may have strong protection measures in place for their crown jewels, they often overlook the critical enterprise—the enabling functions such as HR, customer service, finance, and logistics. This part of the network is usually hosted on a less-secure IT network and may lack a strong culture of security.
However, the threat of lateral movement within the network, where an adversary could compromise an employee in the critical enterprise and gain access to more sensitive systems, makes this approach risky. China-sponsored threat actors are known to exploit native services within critical infrastructure networks, evading detection. The intelligence community emphasizes the importance of protecting support networks with the same rigor as mission networks.
Private sector organizations should adopt a similar approach, securing the entire critical enterprise through comprehensive training, preventive cybersecurity architecture, and cultivating a culture of security that encompasses the shared risks to the organization. While it may not be feasible to subject employees to the same level of scrutiny required for a US security clearance, measures can be taken to increase awareness and resilience to human-enabled attacks like phishing.
Demanding Security by Design
Creating a solid cybersecurity architecture is complex, especially considering the prevailing notion that technology is inherently dangerous. This has led to the deployment of numerous security and network management solutions, some of which may carry their own risks.
The US government and its Department of Defense have long exercised rigorous processes for technology readiness assessment and operational testing and evaluation. These processes ensure the security, maturity, and operational readiness of technologies deployed for critical government functions. Private sector organizations can incorporate similar questions and principles into their procurement processes to improve security.
Rather than relying solely on regulatory certifications, which often focus on processes and policies rather than the inherent security of the technology itself, security leaders should partner with acquisition teams and consider questions geared toward “Security-by-Design and-Default” principles. This includes having multiple layers of security, providing and maintaining a software bill of materials, implementing robust hardware architectural protections, and considering measures to “harden” the deployment of solutions.
While government security processes may be seen as burdensome, private industry must learn from them and incorporate these lessons to counter the nation-state threat. Taking these three key lessons—cultivating visibility and rigor, protecting the critical enterprise, and demanding security by design—is crucial for the private sector to safeguard critical infrastructure and the broader critical enterprise against cyber threats.
<< photo by Adi Goldstein >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Why Smart Light Bulbs Could Be a Gateway for Password Hackers
- Norway’s Call for an All-European Ban on Meta’s Targeted Ad Data Collection
- Cyber Criminals Push the Boundaries: Exploring a New Wave of Certificate Abuse
- Exploring the Importance of US Government’s Security Guidance for Open Source Software in OT, ICS
Title: Safeguarding Critical Infrastructure: US Government Champions Security Guidance for Open Source Software in OT, ICS
- SecurityWeek Announces 2023 ICS Cybersecurity Conference to Tackle Critical Infrastructure Threats in Atlanta
- The Vulnerable Backbone: Cyber Threats to Critical Infrastructure Devices
- Data Thieves Exploit New Certificate Abuse Tactic
