Guide to Critical Infrastructure Protection in the US

Threats to key assets keep increasing – at home and abroad.

Critical infrastructure are key assets, systems, and networks that provide functions necessary for our way of life here in the U.S. But precisely because of their criticality, these infrastructure assets have become increasingly common targets. Simultaneously, too, the assets have become more complex, interconnected, and reliant on networks of connected devices, rendering them ever more vulnerable to cyber-attacks and technical failureⁱ.

So, how bad is the issue?

According to the Microsoft Digital Defense Report 2022, cyber-attacks targeting critical infrastructure assets now comprise a 40% of all nation-state attacks Microsoft detected, up from 20% the year priorⁱⁱ. 

Behind the staggering increase is the war in Ukraine and Russia’s targeting of that nation’s infrastructure as well as that of its allies, particularly the U.S^iii. 

Not just direct infrastructure attacks, either. The Report also found that Russia has accelerated attempts to compromise IT firms. These attempts are meant to disrupt and/or spy on those firms’ government agency customers in NATO member countries. And indeed, 90 per cent of Russian attacks detected now target NATO member states; half of them target IT firms based in those countries^iv.

Nor is Russia the only nation-state actor targeting critical infrastructure assets in the U.S. Microsoft also singled out Iran, North Korea, and China. 

China, in particular, has developed unique capabilities to find and compile unique unpatched holes in software known as “zero-day vulnerabilities,” notes the Report. 

Cybercrime is becoming a big business.

Unfortunately, critical infrastructure asset owners and operators in the U.S. don’t only have state-backed actors to worry about. Private actors have also flooded what’s become a lucrative market for cybercrime. 

The cybercriminals themselves are getting more technically sophisticated, focusing as they are on a wider attack radius, such as in supply-chain attacks that have hit dozens of managed service providers at the same time.

If that sounds like an organized business, it’s because it is. Techniques like double extortion against critical infrastructure assets, i.e., exfiltrating data to a separate location to use for public leaks and other purposes, are ensuring that cybercriminals turn a handsome profit. 

In the U.S., asset owners, likely to face keen economic and reputational impacts from attacks, have every incentive to pay up. Cybercriminals, for their part, have factored this into their strategic planning. Not just scouting out the best targets but also the best methods. 

The coordinated moves against critical infrastructure assets all speak to the rise of Ransomware as a service,or RaaS^v.

What is it?

RaaS is a pay-for-use malware. It obviates the need for individual attackers to write their own ransomware code and/or run their own set of activities. Instead, the platform with ransomware code and operational infrastructure are made available. Criminals need only launch and maintain their own campaigns.

Government response to ransomware attacks on critical infrastructure assets

High-profile ransomware attacks against key assets in the U.S. like the Colonial Pipeline and JBS Foods haven’t gone unnoticed, though. Regulators and policymakers have both begun to act.

In the wake of the Colonial Pipeline shutdown, for instance, the Transportation Security Administration (TSA) issued compliance actions to the energy sector. The regulations required owners and operators of hazardous liquid and natural gas pipelines or liquefied natural gas facilities to:

• Notify the TSA that their pipeline systems or facilities are critical
• Report the following cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA): 
  – Unauthorized access to Information or Operational Technology systems
  – Discovery of malicious software on an Information or Operational Technology system
  – Activity resulting in a denial of service to any information or operational technology system
  – A physical attack against network infrastructure
  – Any other cybersecurity incident that results in operational disruption to the owner/ operator’s information or operational technology systems or other aspects of the owner/operator’s pipeline systems or facilities, or otherwise has the potential to cause operational disruption that adversely affects the safe and efficient transportation of liquids and gases
• Designate a cybersecurity coordinator to be always available to the TSA and CISA
• Immediately conduct internal security assessments

Acknowledging the limitations of the sectoral approachvi, the Biden Administration changed course. Later in 2021, the President signed a National Security Memorandum (NSM) on “Improving Cybersecurity for Critical Infrastructure Control Systems”. 

That NSM sought to compel critical infrastructure asset owners to implement “long overdue efforts” to meet threats their assets face. The key tenets of the NSM included:

• Directing the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) and the Department of Commerce’s National Institute of Standards and Technology (NIST), in collaboration with other agencies, to develop cybersecurity performance goals for critical infrastructure. 
• Formally establishing the President’s Industrial Control System Cybersecurity (ICS) Initiative, a voluntary, collaborative effort between the federal government and the critical infrastructure community to facilitate the deployment of technology and systems that provide threat visibility, indicators, detections, and warnings. 

Aspects of these regulations would eventually get rolled up into the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), signed into law in March 2022^vii. At present, the law compels CISA to complete mandatory rulemaking activities before reporting requirements go into effect.

However, the longer-term intention is to encourage critical infrastructure owners and operators to voluntarily share information on cyber incidents with CISA, prior to the effective date of the final rule. 

Best-practice measures to harden critical infrastructure assets

Sharing critical information alone won’t harden critical infrastructure assets against the most determined attackers and keenest threats, particularly in the following, most common use cases: 

• Cybersecurity. Ransomware, insider threats, phishing, etc.
• Extreme weather and climate change
• Physical security. Active shooters, vehicle ramming, improvised explosive devices, unmanned aerial systems, etc.
• Cyber-physical convergence. Physical impacts resulting from a cyber threat vector, or cyber impacts resulting from a physical threat vector.

What will? The subsequent guide will lay out best-practice measures asset owners and operators can implement as well as digital technologies they can invest in to keep their assets and the people that depend on them safe. 

The relevant measures include:

Enhance reporting. 

Not the end all be all, enhanced reporting does have intrinsic value, though. It serves the dual purpose of (1) improving the transparency of the ownership and operational control of critical infrastructure assets and (2) facilitating cooperation and collaboration between all levels of government, regulators, as well as owners and operators of critical infrastructure.

What operational information should asset owners and operators be prepared to report? In jurisdictions with longer-standing critical infrastructure protections, such as Australia, asset owners and operators must report the following:

• An asset’s location
• A description of the area the asset services
• Information concerning the responsible entity
• Information concerning the chief executive officer
• Description of the arrangements under which each operator operates the asset or a part of the asset
• Description of the arrangements under which data is maintained

Further best-practices for protecting critical infrastructure assets

However, there’s more to uplifting the security and resilience of critical infrastructure assets than enhanced reporting. Better identification and more sharing of threat information help, too. 

What else? Asset owners and operators should also be seeking to manage risks that may impact their business continuity as well as the country’s economy, security, and sovereignty. How to go about it? We suggest the following best-practice measures:

• Identify and understand risks. Take an all-hazards approach when identifying and understanding risks, considering both natural and human-induced hazards. Examples include understanding how risks might accumulate throughout the supply chain, understanding the way systems are interacting, and outlining which of these risks may have a significant consequence to core service provision. 
• Mitigate risks to prevent incidents. Put in place appropriate risk mitigations, encompassing proactive risk management as well as processes related to the following: (1) detect and respond to threats as they are being realized; and (2) plan for disasters and have a way to lessen the negative impact were it to actually occur. 
  
  What’s more, engage with the relevant stakeholders (e.g., partners, suppliers, customers, etc.) to ensure that identified risks and proposed mitigations are proportionate to risk, while also respecting business, societal, and economic impacts. 
• Minimize the impact of realized incidents. Put in place robust procedures to recover as quickly as possible from incidents, should threats be realized. Examples include ensuring plans are in place for a variety of incidents, whether having back-ups of key systems, adequate stock on hand (such as medicines), redundancies for key inputs, out-of-hours processes and procedures, and the ability to communicate with affected customers.
• Implement effective governance and oversight processes. Put in place appropriate risk management oversight and responsibilities, with strong governance and clear lines of accountability, demonstrated comprehensive planning, as well as a robust assurance and review processes proportionate to the identified risks. 

The above, however, won’t cover all risks to critical infrastructure assets. Asset owners and operators will have to prioritize. Based on what we’ve seen in other jurisdictions, asset owners and operators should prioritize the following threat vectors with prescribed measures listed:

Role of digital technology in protecting critical infrastructure assets

For most, these measures represent a substantial uplift in their security and resilience burden. How to go about it efficiently? We recommend investing in dedicated critical infrastructure protection software technologies. 

What are the benefits of these platforms? The organizations using these technologies can more easily (1) adopt and maintain an all-hazards critical infrastructure risk management program, (2) report serious cyber security incidents, and (3) provide ownership and operation information. What’s more, as compliance drivers accumulate, asset owners and operators will find themselves at a crucial advantage. 

Of course, not all critical infrastructure protection technologies are created equal. What capabilities are most helpful in uplifting security and resilience? We recommend the following:

Supports key use cases

The appropriate critical infrastructure protection software should contain features and functionality for distinct user groups, including (1) regulators, (2) operators, the custodians and managers of the critical infrastructure asset, and (3) viewers, those who would only have viewing access to details regarding the critical asset.

What’s the difference? The difference, here, is that operators will have additional tools to assess the current status of the infrastructure asset. That will help them proactively protect the asset against potential threats. 

How, though?

Maintains key details of assets and stakeholder contacts

Well, operators, here, need functionality to help them maintain details about the assets under their management. The following features help asset owners and operators identify and understand risks to their assets, mitigate those risks to prevent incidents, and implement effective governance and oversight processes to ensure continuous improvement:

• Links to perform quick actions, such as creating licenses, notices, logs, and tasks
• Overviews to show the current ratings and scores of valid assessments/inspections across all the critical infrastructure assets in the system, as well as a table of the critical infrastructure assets in the system
• Mapping to display the locations of all critical infrastructure
• Assessment tables of the various assessments provided within the system
• Table of events that have occurred in the environment
• Tables of internal and external contacts in the system, as well as access requests to provide approval/oversight to before providing access to the system
• Collaboration tools, e.g., chat, tasking, and messaging, to help users work together
• Tables of the various products that together help to provide situational awareness around the critical infrastructure in the system

Another piece of logging, tasking, and reporting functionality that helps owners and operators maintain key details is the critical infrastructure log. A must-have feature, the critical infrastructure log enables operators to provide miscellaneous notes or information relating to the critical infrastructure asset, thereby providing additional situational awareness.

Conducts security threat assessments

Critical infrastructure protection software should also come equipped with functionality to inspect, track, and rate the vulnerability and preparedness of critical infrastructure assets to certain threats, as a means of assessing and mitigating potential threats. 

The platform should therefore come equipped with a security threat assessment tool to enable the operator to perform an assessment based on available information, e.g., incident data, news reports, police reports, etc. This feature-set would be crucial to determining how vulnerable the critical infrastructure asset is to potential threats, e.g., terrorism, civil disorder, and insider crime. 

Within the platform, the assessor should also be able to complete the assessment for each category of threat and then provide an overall rating for the critical infrastructure asset. A reassessment date would be entered at that time to provide automated reminders and status updates for the assessment.

Conducts crowded place and impact assessments as well as various other inspections

Along the same lines, a crowded place assessment feature should enable the operator to perform an assessment, based on available information, to determine if the number of people and reasons people gather near or around the asset pose a risk. 

Within the platform, the assessor should be able to complete that assessment, for each crowded place category, providing a vital input into the overall score for the crowded place. That total overall score would then be compared to the threshold to determine if further action should be taken to protect the crowded place.

Similarly, physical security inspection functionality would allow the operator to perform an inspection of security effectiveness across several categories, e.g., access control, the perimeter, or surveillance systems. 

Within the system, the assessor should be able to complete the inspection questionnaire for each category. The answers given will provide a score and effectiveness percentage. The assessor would then be able to use these details to determine if the current measures in place are effective or not, with all the scores and results rolled into the overall inspection (score) to provide a consolidated view of the results. A reinspection date would also be entered to provide automated reminders and status updates for the inspection.

What’s more, the impact assessment feature should enable the operator to perform an assessment of the impact that an event or incident has had on the critical infrastructure asset. A reactive assessment, this impact assessment would be performed in response to an event or incident that has impacted the asset.

Disseminates notifications and products to prepare for and/or respond to planned events or incidents

Here, a notice feature should enable the operator to publish (required) materials to sectoral and national regulators should that be required at present or not. These notices often provide required situational awareness updates of activities that may impact the asset or any new guidelines or regulations likely to be relevant to the asset under management. 

To remain relevant, however, the notices should be set to expire at a particular time, ensuring that only the most pertinent information is given to stakeholders. The notification features, here, should also allow the operator to send an email to stakeholders of critical infrastructure, to provide important situational awareness updates.

Conclusion

Finally, attacks on critical infrastructure assets in the U.S. are on the rise, and there’s little reason to believe the threat picture will improve anytime soon. 

As a result, national and sectoral regulators are stepping in, with policymakers beginning to flex their muscle, too. This compliance picture will force asset owners and operators to act.

But acting quickly requires investing in integrated critical infrastructure protection software, such as Noggin, with integrated business continuity, crisis management, and operational security capabilities. 

These platforms not only give you a leg up in the compliance race. They also enable you to address and manage cyber threats while driving continuous improvement and review cycles, all without having to shell out for costly new ICT systems.

Sources

i. Allianz: Cyber attacks on critical infrastructure. Available at https://www.agcs.allianz.com/news-and-insights/expert-risk-articles/cyber-attacks-oncritical-infrastructure.html.

ii. Tom Burt, Microsoft: Nation-state cyberattacks become more brazen as authoritarian leaders ramp up aggression. Available at https://blogs.microsoft.com/on-the-issues/2022/11/04/microsoft-digital-defense-report-2022-ukraine/.

iii. Ibid.

iv. Ibid.

v. Sean Michael Kerner, Tech Target: Ransomware as a service. Available at https://www.techtarget.com/whatis/definition/ransomware-as-a-service-RaaS.

vi. In the U.S., the following sixteen sectors are considered critical infrastructure sectors: Chemical; Commercial facilities; Communications; Criticalmanufacturing; Dams; Defense industrial base; Emergency services; Energy; Financial services; Food and agriculture; Government facilities; Healthcare and public health; Information technology; Nuclear reactors, materials, and waste; Transportation systems; and Water and wastewater.

vii. CISA: Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Available at https://www.cisa.gov/topics/cyber-threats-andadvisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022 circia#:~:text=Share%20Information%20About%20a%20Cyber,(888)%20282%2D0870.