Governments generally define the essential assets of a functioning society as its critical infrastructure, including electricity, communications, heating, healthcare and transport networks. For the United States, attempted cyber-attacks on these systems continue to be an attractive target. The ability of a foreign actor to gain control and operate them remotely would most assuredly wreak havoc. The lives of millions of people would be immediately impacted if one or more of these major systems became unavailable, even for a short time.

Vulnerable Networks

Modern national infrastructure networks are increasingly interconnected and interdependent. But by sharing data and information to drive increased efficiency and control, the entire system becomes more vulnerable: a single component failing will cause failures across the wider connected network.

Many large infrastructure networks are not adequately protected, lacking basic protocols to defend against a cyber-attack. But attacks on infrastructure are steadily increasing: A global infrastructure survey carried out in 2017 reported that 67 percent of respondents experienced multi-vector distributed denial of service (DDoS) attacks, up from 56 percent in 2016. These types of attacks are notoriously difficult to defend, as they typically combine a series of complex and sophisticated elements that penetrate various aspects of the structure.

Further complicating this vulnerability, critical infrastructure networks in many countries are run by a variety of different private organizations, all working closely with government at local, regional and national levels. With so many groups and stakeholders involved, a harmonized approach to their cybersecurity is essential.

Risks and Standards

To protect our national infrastructure, ongoing risk assessment and mitigation is vital. Using established standards such as ISO/IEC 27001, integrated with the NIST Cybersecurity Framework, creates resilient protection for critical infrastructures, demonstrating that those responsible are committed to cybersecurity and providing reassurance to citizens that controls are in place, and they are protected.

Beyond mitigating external cyber-attacks, a standards-based approach to protecting critical infrastructure reduces risks associated with human error. Trainings and assessments included in the standard will help organizations develop security awareness across key staff groups to maintain standard of care responsibilities. And in the event of an incident investigation, being able to prove that organizational policies adhere to recognized international standards often is decisive in dispelling negligence claims.

But governments and the organizations responsible for our infrastructure can’t go it alone; long-term international collaboration is essential. The most-effective way to protect critical infrastructure and data on a global scale is for responsible governments and industry to come together to manage and reduce risk where it
really matters.