By Asher DeMetz
The United States consists of 16 critical infrastructure sectors – communications, financial services, energy, emergency services, information technology, and more – whose services are crucial to the success and prosperity of the country. Sometimes, however, these services are taken for granted. Critical Infrastructure Security and Resilience Month, observed in November, serves as a reminder for the importance of maintaining the security and availability of systems and organizations that maintain our way of life.
From a resilience standpoint, critical industry sectors tend to do extremely well. Whether it’s because they run tests to ensure business resilience in light of specific regulations or traditional business decisions, they are generally prepared for challenges that may arise.
And yet, while everyone can agree that it’s imperative to keep the nation’s critical infrastructure protected, the reality is that some sectors are doing a better job of protecting their critical data and systems than others.
So, what are these sectors doing differently, and what steps can be taken to improve overall security? Let’s take a look.
Get the basics in order
For the most part, U.S. critical infrastructure sectors have secure external networks. Yet, the same cannot be said about the internal networks – particularly as it pertains to transportation, financial services, manufacturing and commercial facilities.
Organizations within these sectors have demonstrated on multiple occasions that they’ve lacked basic security elements that left them vulnerable. The biggest culprits? Not patching systems or installing security updates, physical segmentation and a penchant for using weak passwords. Oftentimes, these issues arise because network engineers don’t have the time or budget to make needed changes. They’re just doing what they can to keep the network up and running.
Physical air gaps are a must
Some critical systems still have connections to the Internet. This is a huge problem.
When it comes to critical infrastructure, network segmentation is table stakes. When done properly, it allows for one segment to be quickly detached from the rest if it gets infected. It’s a strategy that can help keep a business from going dark and prevent further spread of ransomware.
However, it’s not enough to provide segmentation within internal systems. These networks need to be physically segmented as well. No matter what it takes, it’s imperative that critical networks are physically air gapped from outside connections. The security risk is too great not to do so.
Where to go from here
November may be Critical Infrastructure Security and Resilience Month, but this is something organizations should always be paying attention to. For, as the Department of Homeland Security notes: “The security and resilience of this critical infrastructure is vital to not only public confidence, but also to the Nation’s safety, prosperity and well-being.”
All industries need to do a better job eliminating vulnerabilities within their networks while making sure they’re truly segmented with physical air gaps. There is no reason critical utilities should be connected to the Internet.
Take the time to plan and invest in these necessary measures. It doesn’t get more critical than this.