What is the largest risk to critical infrastructure in 2023?
Editor Introduction
Some systems and assets are so vital that their incapacity or destruction would have a debilitating impact on security, economic security, public health or safety, or any combination of those factors. This so-called critical infrastructure has historically faced many complex threats. In 2023, we can add growing concerns about cybersecurity to the mix. We asked this week’s Expert Panel Roundtable: What is the largest risk to critical infrastructure in 2023? How can we address it?
Decision-makers are preparing for physical attacks on critical infrastructure in 2023, as indicated by the 100-plus attacks on power stations reported in 2022. Multiple layers of effective intrusion protection must be put in place on-site to secure perimeters inside and out, along with critical core facilities and assets. To accomplish this, various automated and connected surveillance solutions can be integrated to go beyond just detecting intruders by also classifying, verifying, identifying, tracking, and deterring them, keeping sites free from intrusion, theft, and sabotage. Sophisticated network cameras today have powerful processing capabilities and can act as sensors to gather rich metadata and act as servers on the edge to communicate, control, and trigger other devices on the network. Switching the focus from ‘cameras’ to ‘edge devices acting as powerful, real-time sensors’ is the first step to building an optimised protection system for critical infrastructure this year and beyond.
Cybersecurity threats absolutely continue to remain a top concern. Unfortunately, cybersecurity is not a one-and-done investment; it’s an ongoing commitment and the best way to address it is to follow industry best practices with constant vigilance. Part of it is changing the mindset of some of these stakeholders and making them understand this isn’t something you invest in once and leave alone. A lot of vendors in this industry, including ourselves, put out cybersecurity-hardening guides, but putting those into practice takes work on the part of the integrator and especially the end user, as a lot of this comes down to how the system is configured, installed and secured. Leveraging the as-a-service elements of cloud can be a step in the direction of taking some of the burden away from the integrator and the end user.
Critical Infrastructure is a prime target for cyber-criminals, nation-state hackers and hacktivists because hacking is a cheap and low-risk way for them to make a big impact or receive a big payout. Consider the Colonial pipeline ransomware attack in 2021: The Nation’s largest oil pipeline was turned off causing gas shortages, a rise in fuel prices, and panic at the pump for many Americans. Similar attacks have been levied against other energy companies, food supply lines, nuclear facilities, water plants, and public transportation. To better protect themselves, these organisations need to follow the best practices listed by NIST; segment their networks, implement strong network security protections like properly configured firewalls, embrace the Zero Trust architecture, enforce Multi-Factor Authentication, encrypt data at rest and in transit, and invest in training their employees. The DHS CISA branch offers free penetration testing to anyone classified as critical infrastructure and has a ton of great resources online.
Without a doubt the biggest risk to critical infrastructure this year is from cyberattacks. Unfortunately, this method of attack is increasingly being adopted by criminals and even nation-states looking to gain an advantage alongside physical security incursions. The one downside of increased IT and security systems integration is that cyberattacks are more likely; however, there is much that can be done to level the playing field. Physical security systems such as CCTV/surveillance and access control are being hardened to attack along with the overall IT and facilities management systems. We have seen a big increase in the use of powerful encryption of physical security systems to tighten protection against these kinds of threats. The price of embracing the IoT and including multiple systems in the same network is greater vigilance, but the overall benefits make this a very worthy trade off.
The lack of observable controls or the absence of controls in critical infrastructure poses a significant risk for 2023. This is particularly pronounced in target-rich environments that have significant funding or staffing limitations, such as K-12 schools, hospitals, and public utilities. These infrastructure segments systemically do not have adequate budget to deploy modern information security controls, staffing to configure and maintain those controls, and appropriate staffing or automation to measure the effectiveness of those controls. This can be addressed through a gap analysis to determine which critical controls are missing or ineffective when compared to a reputable list such as CISA’s Cybersecurity Performance Goals, dedicating resources (staff and budget) to close those gaps, and then establishing an automated compliance operations process to continuously verify that the control is effectively mitigating risks.
One of the most significant risks to critical infrastructure is the potential lack of communication and collaboration between cyber and physical security teams that could allow threats like data breaches, natural disasters, and supply chain disruptions to wreak havoc. As the threat landscape expands and critical infrastructure continues to be a target for threat actors, silos between cyber and physical teams can result in a delayed response to threats. These separate teams need to have regular, collaborative discussions across departments to address this issue. These joint sessions may identify areas of similar concern, best practices, and methods each team uses to mitigate potential risks. This will lead to developing a holistic risk picture and implementing streamlined processes with common operating information that will provide a singular language, ensuring an effective response to threats. Working to create an environment promotes information sharing and common protocols.
Editor Summary
Critical infrastructure is a primary target for cybersecurity attacks. In addition, there is a complex variety of physical security vulnerabilities that must be addressed. As one of our Expert Panelists points out, it is unwise to take a ‘one-and-done’ approach to securing critical infrastructure; rather, security involves many stakeholders working together continuously. Communication and collaboration are required between cyber and physical security teams to address the varied threats.
- Related companies
- Axis Communications
- TDSi
- Salient Systems
- i-PRO
- Ontic Technologies
- Hyperproof
- Related links
- Axis Communications Access control software
- Axis Communications CCTV software
- Salient Systems CCTV software
- TDSi CCTV software
- TDSi Access control software
- Biometric Access control software
- ANPR Software CCTV software
- Detection Software CCTV software
- Proximity Access control software
- IP Surveillance Software CCTV software
- Central Monitoring Option Access control software
- Management Software CCTV software
- Smart Card Access control software
- Recording Software CCTV software
- Surveillance Software CCTV software
- Door Monitoring Option Access control software
- High Level Interface Access control software
- Keypad Commands/Intrusion Zones Access control software
- Management Systems Upgrade Access control software
- Redundant System Software Access control software
- Serial Interface Option Access control software
- Server software for MSDE Access control software
- User tool for control panel Access control software
- Related categories
- CCTV software
- Access control software
- View all news from
- Axis Communications
- TDSi
- Salient Systems
- i-PRO
- Ontic Technologies
- Hyperproof
Expert commentary
- When choosing an access solution, make total cost of ownership a key part of the calculation
- How Californian cities are improving surveillance and security - key developments from 2022 to 2024
- Healing through innovation: Securing healthcare in the cloud
- Unlocking new potential in video security through AI
Security beat
Security bytes
- Getting to know Dan Grimm, VP and General Manager of Computer Vision at RealNetworks
- Big wins and the importance of showing up: Insights from SourceSecurity.com editor Larry Anderson
- Setting goals, business travels and radioactivity: Success secrets from Tiandy's John van den Elzen
- Getting to know Jeff Burgess, President/CEO at BCDVideo
Palm vein recognition
DownloadThe key to unlocking K12 school safety grants
DownloadSelecting the right network video recorder (NVR) for any vertical market
DownloadPhysical access control
DownloadCybersecurity for enterprise: The essential guide to protecting your business
DownloadASSA ABLOY Aperio Wireless Locks
Hikvision EasyIP 4.0 Plus Network Cameras with ColorVu 3.0 Technology
Milesight 4G Solar-Powered AI-Driven ANPR Camera Kit