What Is Critical Infrastructure?
Critical infrastructure is any network, system, or asset the public sector deems essential to society. Critical infrastructure plays a pivotal role in safety, security, public health, and the economy. If critical infrastructure is destroyed or otherwise rendered non-functional, the result is typically significant and widespread disruption.
Some critical infrastructure also has the potential to cause catastrophic damage to its surroundings if operated incorrectly.
Each nation has a slightly different classification system for critical Infrastructure, though in most cases, assets are still divided by industry or sector. Countries also have different priorities where Critical infrastructure is concerned, with some assets deemed more important than others. With that said, certain assets, such as water and power, are almost universally viewed as essential.
What Sectors Operate Critical Infrastructure?
Critical infrastructure may be found in any of the following industries:
- Transportation
- Manufacturing
- Agriculture
- Public Sector/Government
- Healthcare
- Pharmaceutical
- Financial Services
- Telecommunications
- Emergency Services
- Energy and Utilities
- Waste Management
Examples of Critical Infrastructure
Examples of critical infrastructure include, but are not limited to:
- Power Plants
- Water Treatment Facilities
- Roads and Bridges
- Hazardous Materials
- Hospitals
- Postal Services
- Internet Connectivity
- Data Storage
The Three Elements of Critical Infrastructure
According to the United States Federal Emergency Management Agency (FEMA), the three elements of Critical Infrastructure are:
Physical: tangible assets such as power lines or roads
Cyber: Any electronic system that transmits, stores, or manages information. This category encompasses both software and hardware
Human: Individuals with critical knowledge, skills, or responsibilities and people who may be uniquely susceptible to attack
How Critical Infrastructure Relates to Key Resources
Critical Infrastructure vs. Public Infrastructure
Public infrastructure is a catch-all term for government-owned assets and facilities available for public use or broadly crucial to society. It may be divided into three categories:
Soft Infrastructure encompasses the institutions that help maintain a nation or region’s economy and social order, including hospitals, schools, and regulatory agencies.
Hard Infrastructure refers to physical systems that transport resources and convey information, such as roads and cell phone towers.
Critical Infrastructure is vital enough that interruption poses a severe risk to people’s well-being. Among other things, It may include electricity, water, food, shelter, and access to medicine.
Ultimately, these distinctions are mainly symbolic, as most governments class all three types of public Infrastructure under the umbrella of critical infrastructure.
Threats Facing Critical Infrastructure
Critical infrastructure threats can be broadly divided into two categories: natural and man-made.
Natural threats may include natural disasters, fire, flooding, and severe weather.
Man-made threats could include physical theft, vandalism, malware, ransomware, data breaches, and other forms of cyberattack.
Why Critical Infrastructure Security Is Important
When critical infrastructure is brought down, the consequences go far beyond the public sector, typically causing severe disruption across multiple industries. In extreme cases, compromised critical infrastructure threatens the health and well-being of the people that rely on it, sometimes even resulting in loss of life. In recent years, there have been multiple examples of this in the US and internationally.
2021 Colonial Pipeline Attack: Threat actors with a suspected connection to the Russian government shut down the pipeline for nearly a week via ransomware. This resulted in widespread fuel shortages, bringing fuel prices to their highest since 2014.
2015 Attack on Ukraine’s Power Grid: Another attack with a suspected connection to state actors, this attack was the first of its kind and left more than 230,000 residents without electricity for more than six hours. It took several months for operations to return to normal.
Multiple US municipalities have been targeted with ransomware over the past several years, disrupting essential government services for weeks. The city of Oakland was among the most severe, as hackers followed up on the attack by publishing the personal data of current and past employees.
In short, the economic and social implications of an attack against critical infrastructure are immense, and it’s not just the result of state-sponsored threat actors. Even a cybercriminal with a shotgun approach to selecting targets or an automated worm could cause catastrophic damage. The public and private sectors must cooperate to secure and protect critical infrastructure.
Best Practices for Securing Critical Infrastructure
Audit and Assess
As with any security initiative, the first step in protecting Critical Infrastructure is a thorough audit of all connected systems and assets, followed by a comprehensive risk assessment. Cyber Threat Intelligence plays a crucial role in this pursuit, providing security teams with the necessary visibility to detect, identify, and mitigate potential attacks. Additionally, it’s essential to understand the overall threat landscape facing Critical Infrastructure, as well as the most common types of cyberattack:
- Social engineering, such as phishing and spear phishing
- Exploitation of zero-day vulnerabilities in software or hardware
- Password spraying/brute force attacks
- Distributed Denial of Service (DDoS) attacks
- Malicious software, particularly ransomware
Build a Culture of Cybersecurity
Incorporate Zero Trust Network Access
Address Internal Skills Shortages
Conduct Regular Drills
Practice Basic Cyber Hygiene
As much as the media loves to focus on cyberespionage and dangerously skilled black hats, most cyberattacks are not particularly complicated or sophisticated. They target known vulnerabilities and security shortcomings. An organization can defeat most of these attempts with just a few basic measures.
- Cybersecurity awareness training with a particular focus on preventing social engineering attacks such as spear phishing
- Enforced multifactor authentication
- Least-privilege access rules
- Deploy a password manager to employees and enforce strong, complex passwords
- Install security patches and updates as soon as they release
- Implement sandboxing or a similar measure for remote connections