It’s a new Day for National Critical Infrastructure Security and Resilience. While November is recognized as the month focused on this issue in the U.S., for some time, digital transformation has widened the aperture of our lens dramatically.
This year, led by the new Department of Homeland Security (DHS) Critical Infrastructure and Security Agency (CISA), the public and private sector are zooming in on collaborative resilience. The accelerated convergence of information technology with operational technology running our Critical Infrastructure demands this new joint approach.
As CISA noted in its National Critical Functions, newly defined this year, “goods, people and utilities move in, out, and across the United States through distribution functions. Effective, safe, efficient, lawful, and responsive management drives our way of life, our economy, and the cohesion of our society.” Given such reliance on a dynamic global ecosystem, we must clearly identify our most trusted insiders and our most dangerous adversaries and build resilience accordingly. I believe DHS’ designation of National Critical Functions is a major step forward toward this resiliency approach. I encourage readers to review the Interim Report recently issued by the DHS Information and Communications Technology Supply Chain Risk Management Task Force.
We must shift both our thinking and practice to effectively build resiliency and security into our critical infrastructure. Security must be approached from a layered perspective to address operational, cyber and physical risks together. Omitting any one of these important layer’s leaves glaring gaps in the security posture of our infrastructure.
Let’s explore a few fundamental building blocks:
While Access Management has traditionally been applied to IT systems, it is also uniquely applicable to any number of Critical Infrastructure aspects, such as its creation, operation and use. Mapping who needs access to what and when is how we start. The basics include:
Verified Identity is essential to successful access management. After all, if we are granting access to the wrong person, tool or operation, we have failed. Methods for validation can range from passwords/passphrases, to electronic key cards to biometric identifiers. Methods should be deployed based on risk, e.g. an individual’s role and the operation to be undertaken.
Segmentation ensures that if one part of a network goes down, users can readily switch to another that is still functional, minimizing the failure’s impact. This concept, often used in minimizing information technology network disruption, should also be part of our infrastructure resiliency planning. Consider these basic steps:
Third Party Risk Management becomes even more essential in today’s distributed Critical Infrastructure environments. Critical Infrastructure relies upon, in part:
All these third parties impact the success or failure of the security and resiliency of the Infrastructure in which they play a role.
These basic building blocks, which must be deployed by all of us, are essential to operational success. Resilient and increasingly secure Critical Infrastructure and services can only be achieved when we work together.
Additional Resources:
Critical Infrastructure Protection
The post A New Day for Critical Infrastructure Security & Resilience appeared first on Cisco Blogs.