August 22, 2023 3 Key Cybersecurity Tips for Critical Infrastructure

Today’s critical infrastructure organizations must follow 3 essential processes to uplevel their cybersecurity efforts and prevent attacks.

By  Wayne Dorris, CISSP, Program Manager, Cybersecurity, Axis Communications

Both physical and cyber security efforts have become necessary parts of critical infrastructure, as OT and IT environments become increasingly intertwined – and as cyberattacks on critical infrastructure have continued to grow in number and sophistication. With this in mind, critical infrastructure organizations need to upgrade their cybersecurity efforts to keep essential operations moving no matter what.

There are three key methods to propel this mindset forward: adopting “system-thinking,” implementing lifecycle management, and thoroughly considering all potential risks. By properly approaching your cybersecurity, you’ll be able to stay on top of potential attacks – and protect your infrastructure from infiltration and disruption.

Adopt “System Thinking”

When putting together your entire security system–from physical cameras to firewalls–you must shift to seeing security solutions as a whole rather than a selection of separate devices. Then, you need to consider the relationships between the hardware and software of the whole solution itself, along with considering how its integration into the broader infrastructure of the end-user organization impacts the system.

Think of it this way: when you’re building a chain, you need to understand every link that makes it up. If even one link in your chain has a crack, it can compromise the whole thing. Additionally, if you understand each link, you know what each is capable of, and therefore how data flows along each link in the entire chain. When you know where a piece of data is located, as well as know without a doubt where it’s headed next, it’s easier to know where and how to best protect it.

This part of the process is where it’s important to remember the convergence of IT and OT – they’re no longer separate chains, but rather are combined to make one long chain. For instance, data might be captured by an OT security device like a camera, but the next “link” in that data chain could be an IT server that runs video analytics, and that analysis could then in turn trigger another OT device like an audio deterrent or a spotlight. All this technology working together is incredible and impactful, but users must prepare for the fact that this opens them up to more potential avenues of attack.

Implement Lifecycle Management

Once you’ve gotten a complete system in place, and fully understand how each piece is connected to or impacts other parts, you need to implement a proper procedure for lifecycle management. Technology is no longer an out-of-the-box static entity; you don’t just set it and forget it. Because of the convergence of IT and OT, if you don’t update all devices with regularity, you leave yourself open to vulnerabilities.

A device lifecycle isn’t just about updates – it’s made up of five different parts: production, distribution, implementation, service, and decommissioning. Beyond production, every part of the lifecycle is open to vulnerability. In distribution, there’s always the potential for a bad actor to intercept devices in transit, so you want a device produced by a company with signed firmware, and secure boot. During implementation, you need to harden your security devices to match the environment it’s being placed in, whether that’s OT or IT.

When your device is finally ready to be in service, you first need to assess how long a device will be supported, both from a hardware and software perspective If you don’t know how long a device will be updated and maintained, you don’t know how it fits into your system. Additionally, when it comes to updating that device, you should do it on the schedule of the manufacturer – not your own schedule. If you bulk update all devices once a year, but the manufacturer recommends updates every 4-6 weeks, you’ll be missing out on critical updates and leaving yourself open to potential attacks.

Finally, there’s the last part of the lifecycle: decommissioning. Old devices might hold data on them that you aren’t aware of. If your company sells old devices to a third party, those devices might still hold network configuration data, which is like a roadmap for hackers. You need to follow decommissioning instructions to the letter to complete the lifecycle of your devices safely.

Consider the Wider Risks

While your security solution’s primary focus should be on addressing the defined operational requirements put forth by the end-user organization, comprehensive IT and cybersecurity provisions are also essential to ensure complete system protection. This may go beyond initial device security, delving more into the broader security scene, news of recent cyberattacks, and developing regulations.

For instance, starting June 11, 2023, all software components sold will be required to provide their software bill of materials (SBOM). This requirement for US Federal Government came out of EO 14028 in May 2021.  An SBOM helps users better understand what software components are living in their environment, so if something happens, organizations will immediately be able to know what is being impacted and where.

While your organization may not exactly know how successful your cybersecurity system is unless an actual attack occurs, you shouldn’t wait until one comes along to shore up your defenses. While this may be more complicated than it used to be thanks to OT and IT devices being more interwoven than ever before, it’s still possible to have a concrete plan in place to mitigate the risks to your organization. Start thinking of your security devices as links in a chain, and that chain might just be tough enough to defend you from harm.

A 25+ year industry veteran, Wayne Dorris, CISSP, is the cybersecurity business development manager for Axis Communications covering North America. In this capacity, Dorris generates awareness and assists with cyberstrategy and demand in Axis products. He also influences IP solutions for all segments of Axis’ business relative to cybersolutions. Prior to joining Axis, Dorris held the position of applications and field sales engineer for other security manufacturers. He also served nearly 10 years as the technical security director for a major fortune 150 company. Dorris is currently an active member of ASIS.

Subscribe to Industry Today