Start secure and stay secure!by Sean Atkinson, Chief Information Security Officer, CIS
But what does security really mean? For critical infrastructure sectors, security is defined by Presidential Policy Directive 21 (PPD-21):
The terms ‘secure’ and ‘security’ refer to reducing the risk to critical infrastructure by physical means or defense cyber measures to intrusions, attacks, or the effects of natural or manmade disasters.
Organizations can implement security in different ways, including both physical and cybersecurity measures. Examples include:
- Installing ID badge verification at doorways
- Using security fencing around buildings
- Deploying network monitoring
- Locking devices (such as laptops and cell phones) when not in use
Manage the risk
One key concept behind both security and resiliency is managing risk. PPD-21 explains that critical infrastructure “owners and operators are uniquely positioned to manage risks to their individual operations and assets, and to determine effective strategies to make them more secure and resilient.”
Cyber risks include DDoS attacks, malware, phishing scams, data breaches, and more. So how can critical infrastructure sectors and other organizations get prepared? To help organizations understand and mitigate cyber risks, we offer a free resource known as CIS RAM (CIS Risk Assessment Method). CIS RAM helps organizations conduct a cyber risk assessment and implement cybersecurity best practices found in the CIS Controls™. The method provides three pathways based on your organization’s experience with cyber risk:
- For organizations new to risk analysis, CIS RAM provides instructions for modeling threats against the CIS Controls.
- CIS RAM helps organizations more experienced with cybersecurity model threats against information assets.
- For cyber risk experts, CIS RAM offers instructions for analyzing risks based on “attack paths.”
Know your threats
Each organization has slightly different cyber risks and threats. Listed below are tips for various public industries:
Wired, wireless, and satellite communications are more than just an underpinning of modern life. They are the “enabling function” across most other sectors. Use access to the internet judiciously.
Tip: Keep your machine “clean” with current patches and updated anti-malware software. Making your machine secure helps make sure nefarious programs are not utilizing this resource to exhaustion.
The private and public infrastructure of U.S. dams has obvious ties to energy and water infrastructures. Remember, systems are interconnected. Use each system for the specific purpose in which it is intended. For example, make sure that passwords and access to government portals and underlying subsystem control interfaces are protected.
Tip: Don’t utilize the same password across your personal and business accounts. If you do, and the password is compromised by a public portal, it can be used to access a private business portal. The attacker could gain access to more than just your email account. Based on your role within the organization, the hacker could have compromised the methods to affect the dam, its controls, and the safeguards of those who could be at potential risk.
Society is shifting to use social media as a method for emergency communications. Social media can be used for updates, alerts, and emergency warnings. The public responsibility is to utilize these technologies and updates judiciously. Remember, if it is on the internet, it is public. You have to guard your level of privacy. DHS' Emergency Services Sector Cybersecurity Best Practices
Tip: Although what to share online is a personal decision, be cautious. When we overshare we may be putting ourselves or others in jeopardy. Think before you post. “How can this information be used for harm?”
This sector is an underlying operational requirement for most other critical infrastructure. The energy industry carries specific risks and controls must be put into place in order to build resilience to a cyber-attack. One of the most important pieces is to approach cybersecurity training with an emphasis on understanding.
Tip: Make sure that you apply the rules to your everyday work practice and not another “training” that you already know. Speak up if you have ideas or recommendations on making training more accessible or aligned with your work stream.
The government property and facilities sector encompasses an enormous number of physical assets. Schools, government buildings, and national monuments are part of this sector. Another major part is elections infrastructure, covered by the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC). CIS, home to the EI-ISAC, takes great pride in providing best practices for U.S. government officials to secure the elections infrastructure.
Tip: For the general voting public, specific security protocols and awareness can assist in making sure your information is kept secure. Be cautious of emails and social media posts about voting or re-registering. Any site that requests or demands that you enter information to register or re-register to vote should be considered suspicious.
Access to Personal Health Information (PHI) is necessary for healthcare workers to provide quality care to patients. Access to this data must be controlled with specific regard to how it is shared. It must be considered highly confidential and any dissemination of it should be secure and appropriate.
Tip: Data should be shared on a “need to know” basis. When employees distribute healthcare information, they should ensure:
- that they have permission to send the information, and
- that the recipient is aware of their responsibility to ensure confidentiality is maintained once they receive this information.
CIS Control™ 14 and its sub-controls help users understand data management based on the need to know.
The critical sector that defines the 21st century is the internet. Internet access is a great tool, but it is important to remember that those with nefarious intent also have access. It is our responsibility to make sure that such activity is thwarted. Where possible, we should minimize threat surfaces by making systems more difficult for attackers to access.
Tip: One item for consideration is the default account and passwords that are supplied with IoT and networking devices. Once installed, users should change the default setting to a higher level of security. The CIS Benchmarks™ provide excellent guidance for many technologies to help ensure that the default credentials are changed.
Travel and transport are the concerns in this space. Be cautious not only of your surroundings but of the things you are physically carrying with you.
Tip: Keep your devices with you at all times. Make sure that you physically secure the devices. Also secure them logically; apply encryption software to your hard drive as a security precaution. This will maintain the confidentiality of your data. It will also preserve its integrity so it won’t be altered or accessed if it is out of your possession.
The final critical infrastructure area touches water supply systems. There are specific criteria defined by the Environmental Protection Agency (EPA) and cybersecurity guidance provided for states. These criteria define initiating a program as the hardest part of minimizing risk and applying appropriate controls. One strong starting point would be the CIS Controls, a prioritized list of security steps that are essential to cyber resilience.
Tip: Personnel may believe they do not have the specialized skills to use cybersecurity controls effectively. This is not the case. Anyone can start with a risk-based approach that takes into account the targets an adversary is most likely to seek. The above URL from the EPA provides a 16-point checklist. When used in combination with the CIS Controls, you can start to build the resilience required to protect our critical infrastructure.
Creating a plan for the future
From Communications to Government Facilities, people around the country rely on critical infrastructure for daily tasks like going to work and chatting with friends and family. All of us can take steps to reduce the risks to these essential systems and services, but leaders in these sectors have a special responsibility to keep security top-of-mind.
Building organizational security and resiliency can be especially challenging when dealing with cyber threats. Although each critical infrastructure sector has its own unique risks and challenges, many of the technical vulnerabilities are shared. By conducting a cyber risk assessment and understanding their risk profile, organizations can invest time upfront to ensure they are implementing informed policies and processes. This helps ensure security controls are effective against real-world threats.
Alliance for Innovation members have a great resource available to them to help address cybersecurity related issues: The Center for Internet Security’s (CIS) Multi-State Information Sharing and Analysis Center (MS-ISAC) and Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC). Through CIS, members have access to a number of important resources, such as incident response, a 24/7 security operations center, important threat alerts, and best practices guidance, which will help in improving their overall cybersecurity posture and lower the effectiveness of cyber-attacks. All these resources and more are available at no cost. To join the MS-ISAC, please visit: https://learn.cisecurity.org/ms-isac-registration, or visit https://learn.cisecurity.org/ei-isac-registration to join the EI-ISAC. Additionally, their Albert network monitoring solution is available to state and local government organizations for a small fee. Additional information on Albert, including how to purchase, is available at https://www.cisecurity.org/services/albert/