Strategies to Secure Critical InfrastructureExperts Debate New Measures to Defend Against Threats
Critical infrastructure - energy, defense and transportation among the components - form the backbone of a nation's economy, security and health. Hence, it is imperative to secure critical infrastructure elements, such as power grids, communication and finance.
A persistent cyberattack on critical infrastructure could play havoc. The challenge, then, is to find new ways to mitigate risks emerging from rising threats to critical infrastructure.
"The critical infrastructure and information is the responsibility of the board, and hence the board has to work toward protecting and securing the same against threats," says Sachin Burman, director at India's National Critical Information Infrastructure Protection Centre.
Latha Reddy, former deputy National Security Advisor, India, says, "Every organisation needs to define what is critical infrastructure and critical information and prioritize risk management strategy to secure them."
This discussion emerged during the recent Cyber 360 event in Bangalore.
Critical Infrastructure Protection Challenges
Many experts argue that little has been done to secure critical infrastructure, mainly because of lack of skills, proper communication and awareness.
Critics say that this is also why boards do not take ownership of the critical infrastructure and its protection, or hold security teams accountable for any untoward incidents.
U.S.-based Melissa Hathaway, a senior fellow at Potomac Institute for Policy who runs the cybersecurity consultancy Hathaway Global Strategies, sees the need to tie cybersecurity to the economic strength and stability of the nation.
"The most critical challenge for every region or nation is defining what critical infrastructure is, which needs to be protected [at] any cost," she says. "In addition, while in many ways organisations have created a glass house believing it to be secure, in most cases it is not resilient enough to protect against threats."
As the Modi government is encouraging digital India, Hathaway says, every sector is embracing the technological environment, and there is a need to ensure it has minimal exposure to threats.
Reddy endorses the view, noting: "Cybersecurity is not associated with government alone. Every corporation and person is responsible for protecting critical infrastructure and information as it involves public safety."
The question is: Who is accountable, and how and where should risk management strategies be prioritised?
NCIIPC's Burman says that although government organisations have been taking measures to protect the country's infrastructure, they have not been successful in reaching out to people. "A lot of action needs to be taken on a war-footing to ensure that critical infrastructure is protected against threats, besides bringing about changes in the process," he says.
The challenge, he points out, is that no enterprise, be it in the government or the private sector, is in a good position to identify what information is critical.
Strategies to Secure the Infrastructure
There is no 'one-size-fits-all' concept when it comes to protecting critical infrastructure. This 360-degree approach recommends looking into many aspects of overhauling security procedures as threats become more sophisticated in nature.
For instance, Reddy believes a systematic approach needs to be taken to list the priorities of a risk mitigation plan. She says there are five pertinent aspects that need to be addressed to ensure infrastructure protection:
- Identify what critical information is and the infrastructure that is going to impact citizens;
- Find out the kind of techniques that need to be applied to protect these;
- Indentify global security guidelines to adopt while protecting telecommunication and cyber networks, which, if damaged, could cause physical disruption of other sectors, such as energy and power;
- Prioritise national critical information centres in India by establishing co-operation and bilateral agreements between governments, defense and think tanks, creating strong defences;
- Focus on building a strong risk management approach.
"Organizations across all sectors should leverage ICT to build a robust risk mitigation strategy to protect its core infrastructure," Reddy says.
Hathway urges security practitioners to pay attention to how they can secure their critical information, recommending:
- Identify the infected and vulnerable infrastructure and data, categorise in terms of priority and bring it to the board's notice;
- Establish a strong, actionable information-sharing platform across industries. Information sharing must be targeted and explain defense mechanisms in case of an incident;
- Improve engineered products in the market with built-in security resilience to address cybersecurity challenges;
- Remove glasshouse infrastructure and encourage bilateral agreements with universities and corporate and international groups to roll out cybersecurity courses and technology transfer.
Burman says one must assume that the criticality of operations of any enterprise will determine the criticality of the underlying architecture. He suggests practitioners adopt a simple way to tackle critical infrastructure challenges. "Approach the issue with a business continuity and disaster recovery perspective; it needs to be viewed from a macro and micro level," he says.
"While the board decides what is critical to them and what needs to be protected against threats, the security head will work on the framework to decide how to protect and create necessary architecture," Burman adds. "Cybersecurity is not restricted to security teams alone. It encompasses overall posture of information assurance which affects every department. Protecting organisational critical infrastructure is a collaborative effort."