Government and businesses often view the world through separate lenses. The list of that deemed ‘critical’ in the public sector, although complexly inter-related, is far from a mirror image of the infrastructure concerns of private businesses.
The simple fact is, most if not all businesses depend on numerous infrastructure elements to maintain smooth operations. This article will look at what critical infrastructure is – and what it means to a business – and then discuss what we, as information security professionals working together and with other IT, business and legal professionals, can do to secure it.
Defining Critical Infrastructure
For many of us, when we think of critical infrastructure, we think of networks, of data centers and perhaps of utilities, such as water or electricity. Governments tend to think big, as demonstrated by this definition from the US Government’s Department of Homeland Security:
“Critical infrastructure and key resources (CIKR) includes physical or virtual assets, systems, and networks so vital to the United States that the incapacity or destruction of such assets, systems, or networks would have a debilitating impact on security, national economic security, public health or safety, or any combination of those matters.”
It’s worth remembering that not everything within a national infrastructure sector is critical. In the various sectors of the economy there are certain critical elements of infrastructure, the loss or compromise of which would have a major, detrimental impact on the availability or integrity of essential services, leading to severe economic or social consequences, or loss of life. These infrastructure assets make up the nation’s critical national infrastructure (CNI) and may be physical (e.g., sites, installations, pieces of equipment) or logical (e.g., information networks, systems).
For most of us in business, we look toward the government to deal with these big picture issues. We focus on what we can control and protect – which frequently includes our organization’s networks, buildings and IT. We may reach out to our service providers and set security requirements they need to meet. But no matter what we believe is critical, and thus try to protect, businesses are becoming increasingly reliant on information, IT, networks, and also SCADA (supervisory control and data acquisition) systems.
“Any automated manufacturing facility – whether the product is a biscuit, clean water, electric energy, medicine, mass transportation, or almost anything – uses SCADA systems to some degree”, says Eric Knapp, director of critical infrastructure markets for Nitro Security. “The impact of disrupting such vital infrastructure can have huge ramifications for a company, the public or even national security.”
What Is Critical to You?
Organizations depend upon numerous forms of infrastructure, such as operational equipment, telecommunications, utilities and buildings. For most organizations, infrastructure is thought of as the physical structures required to run it.
Based on ISF research and discussions with members on this topic, we suggest that there are a variety of reasons why organizations classify parts of their infrastructure as critical. The primary reason is when infrastructure is used to support essential business operations, such as manufacturing or assembling products, delivering goods, and providing services.
“Simply put, if the compromise of any part of our organization’s infrastructure would cause a high business impact, it’s critical”, asserts one ISF member within the manufacturing sector.
Other grounds under which organizations classify infrastructure as critical include when the infrastructure (and, in some cases, the critical business operations it supports):
- Introduces a significant health and safety risk because the infrastructure (e.g., industrial machinery, production lines and energy production) is inherently dangerous to individuals, or is operated in an unsafe environment that could result in injury or death;
- Is subject to legal, regulatory and contractual obligations, and non-compliance would result in penalties, fines, legal liabilities, withdrawal of a license to operate as a business or loss of customers;
- Is considered to be of a high value (e.g., medical scanning equipment or drilling equipment) or is associated with items that are of high value
- Supports or is considered part of the country’s national infrastructure (e.g., if the business provides energy, telecommunications or transportation services) and is therefore likely to require a greater level of protection.
This last point was illustrated by comments from one ISF member in the telecommunications sector. “We provide most of the telecommunications infrastructure in the country”, the member shares. “We are therefore a vital element of the country’s national infrastructure.”
Across the ISF membership, organizations that differentiate between critical and non-critical infrastructure often establish levels of criticality, such as: tier 1, 2 and 3; mission critical, business critical and business operational; or high, medium and low. The requirements of infrastructure components then determine the level (or category) with which they are associated.
| "Simply put, if the compromise of any part of our organization’s infrastructure would cause a high business impact, it’s critical" |
| ISF member, manufacturing sector |
Infrastructure systems are typically – if not always – supported by information systems. This use of information systems can range from small-scale information systems, such as embedded systems and process control PCs, to highly distributed, integrated and complex information systems, such as computer-aided manufacturing (CAM) terminals, air traffic control systems and logistical control systems.
In many cases, information systems that support or enable critical infrastructure are outside of the organization’s traditional computing environment (e.g., the data center) and, as a result, are not under the authority or control of the IT department. The drive to outsource, offshore and focus on core competencies, which may not include IT, may also mean that information systems supporting critical infrastructure are not owned by the organization at all – and may be located in a different country.
For example, one ISF member – a major toy manufacturer – reveals it has production lines in one country and its outsourced packaging and logistics hub in another. Further, the company’s outsourced IT systems are run out of a third country.
Securing Critical Infrastructure
The increasing use of information systems to support and enable critical infrastructure introduces a new set of risks that organizations need to navigate when meeting the security requirements relating to critical infrastructure. These include availability, reliability and resilience. Based on the ISF’s work, several relevant examples of information security issues can be grouped into four components of critical infrastructure (see table).
Securing infrastructure requires more than just firewalls and patches – it requires an understanding and agreement of what the critical infrastructure for the organization actually is. Information security professionals need to work with their business colleagues and senior management to discover and then determine what infrastructure is critical – and what information systems support that infrastructure. Remember that what people view as critical can shift over time, and it can radically change in the event of an outage.
Once the identification and agreement is complete, an information risk analysis of those supporting information systems should be undertaken. Business requirements for critical infrastructure should be translated into information security requirements; threats and vulnerabilities assessed; and the findings reported. The analysis should be broad and cover topics such as the impact of consumerization, use of cloud services, ubiquitous connectivity (including SCADA connecting to the internet) and the impact of convergence on information systems.
“Security convergence is different from normal data security”, asserts Ian Kilpatrick, chairman of IT specialist Wick Hill Group. He says this is “because the link between phone systems and the internet makes both voice and data more vulnerable to problems, such as toll fraud and the total loss of both voice and data communications, if VoIP is hacked”.
Once the risk analysis is complete, a control framework for critical infrastructure needs to be established. This should cover the selection and application of a balanced set of controls (e.g., preventative, detective and reactive) to protect information systems; make use of concepts such as defense in depth, least privileges and default-deny; and should look at controls that enhance resilience and business continuity. Where external suppliers are involved, a common baseline for information security arrangements should be adopted.
“We have to constantly be aware of cluster threats”, comments one ISF member from the utilities sector. “It doesn’t take much for one event to lead to another, and the next thing you know, you’re dealing with a major event that affects significant parts of the organization’s infrastructure.”
| "It doesn’t take much for one event to lead to another, and the next thing you know, you’re dealing with a major event that affects significant parts of the organization’s infrastructure" |
| ISF member, utilities sector |
Another ISF member, from the manufacturing sector, classified its systems into varying levels of criticality, with production machinery having the highest classification. When an outage occurred at one of their plants, the classification scheme was ignored. Instead, the priority was to restore its email system (see figure, which illustrates the process at a high level).
“We broke the whole process into smaller tasks focused on one group of components at a time”, adds the ISF member. “For example, we looked at our production line machinery, industrial equipment and transport as part of operations.”
Of course, the process is not a static, one-off piece of work; critical infrastructure must be reviewed and protected on a continual basis, to deal with changes in the infrastructure and its environment. This process – and any changes associated with it – must fit in with other schedules, such as maintenance windows, to minimize machinery or infrastructure downtime.
Pulling it All Together
Organizations rely on critical infrastructure everyday – whether it is the national critical infrastructure or their own. Failure to distinguish between critical and non-critical infrastructure will result in a mixed environment, which is difficult to manage and protect effectively.
Information systems that are used to support critical infrastructure in a mixed environment will inevitably be either over protected (when the infrastructure is not critical) or under protected (when the infrastructure is critical).
Securing critical infrastructure and maintaining an adequate level of protection on an ongoing basis requires a consistent and practical approach – which must be supported by the business.
| CI Components | Typical Sub-components | Potential Information Security Issues |
| Operations | Production line equipment, warehouse operations, transport and logistics, and financial processing equipment | Malware infection of production line control devices, tampering of ATM equipment |
| Telecommunications | Data networks and landline, satellite and mobile communications equipment | Physical damage or theft of landlines, theft of intellectual property, telecommunications fraud, eavesdropping |
| Utilities | Water and gas pipelines, electrical supply and sewage treatment | Loss of power to flow-control devices, failure of UPS and/or standby generators, hacking of Supervisory Control and Data Acquisition (SCADA) devices |
| Buildings | Perimeter safety, gated access control and surveillance, and environmental monitoring equipment | Loss of physical access to premises and internal areas of buildings, theft of assets, malicious damage to controlling equipment |