What are the security challenges of protecting critical infrastructure?

Since critical infrastructure facilities can be quite large, the challenge of protecting them is complex and often requires multiple and varied solutions. However, protecting the security of these sites goes beyond pure physical security, as was clearly demonstrated by the latest ransomware cyber-attack on the Colonial Pipeline. As the threat landscape continues to evolve, critical infrastructure organisations need a system that can converge both their physical and cyber security plans, to reduce their exposure, protect sensitive information and ensure individuals’ privacy. As the industry becomes increasingly regulated to help protect our critical infrastructure, security team needs to modernise their compliance practices with a security solution that helps them meet regulations and avoid strict penalties and fines, if found out of compliance. With the continued rise in mergers and acquisitions between utilities, security departments also need to merge their strategies with a solution that manages their security operations in one place.

With more advanced attacks being carried out, critical infrastructure faces a number of security challenges. One of the biggest of these risks is present everywhere in life – human error. While physical security offers the highest level of protection in any sector, many high-tech solutions still allow the risk of human error to raise its head. Despite card technology advances with higher levels of encryption, physical cards are still required and can easily be dropped, lost or even stolen. Recently, we have seen the introduction of advanced solutions like cardholder verification, mobile credentials utilising Bluetooth and NFC technology, various biometric identification methods and more. This is only one part of the challenge. With CCTV, technology offers solutions such as analytical and behavioural detection, which not only reduce manpower requirement, but address the age-old challenge of human error. All of these can be deployed to solve the security challenges of critical infrastructure.

It seems so often we hear about a new threat or cyber-attack in the news. Because of the rapid growth in technology over the last few years, cybercriminals are getting bolder and discovering new ways to attack critical infrastructure. One of the biggest challenges boils down to the capabilities of the operating security system and whether the organisation is aware of the current risks they face. Because there are so many points of entry for cybercriminals to target within critical infrastructure, it is vital that the security solution be prepared for attacks at every level. Many older systems are not capable of the depth of data protection required, and unfortunately, any computerised system is ultimately at risk. Using an outdated system that is only reactive or does not utilise the most up-to-date protective procedures places the whole infrastructure at risk. Choosing a trustworthy and reliable security provider is essential.

Critical infrastructure sites traditionally rely on electronic access solutions such as RFID cards, Bluetooth, fingerprints, or unique PIN codes. The best thing about most electronic access systems is that they leave an audit trail. The worst thing about many of these systems is that some can be easily circumvented, when a pass code is shared, or cards or fobs are pilfered. While fingerprints are highly accurate, only face recognition provides dual-purpose capability in that cameras used to capture the face of a person seeking access authorisation can also provide watchlist monitoring functionality and tailgating alerts. As facilities seek to retool their security infrastructure to meet today’s challenges, facial recognition provides a touchless, accurate option that easily integrates with existing solutions, providing a new level of convenience for employees and a layered approach to perimeter security that provides early warning when persons of concern are in the view of surveillance cameras.

I think cyber security is becoming one of the most important factors and most significant challenges for critical infrastructure, because it is important for the normal function of society. There is, of course, the perfect example of these risks in the recent Colonial Pipeline hack, which effectively shut down one of the largest U.S. gas pipelines. The initial fallout was soaring fuel prices, as the pipeline is responsible for the transportation of millions of gallons of fuel per day. Cyber security threats are becoming more and more present and, as a result, a lot of safety and security systems users have become more aware of best practices and toolboxes as methods to improve cyber security. This awareness means users are becoming more educated on potential risks and how to handle them as threats continue to increase.

Our critical infrastructure enables society to function, to get to work, to power our homes, to feed and care for our families. It’s heavily guarded, closely measured and managed to ensure it is safe and secure. Management is complicated, as it spans a large physical area, and includes lots of moving parts, many of which would cause serious harm if something went wrong. It depends on people, doing a physical job to ensure it is always available, without incident. I believe the biggest security challenge is not a lack of planning, policies and procedures, or investment in threat detection. It is the risk of the unexpected, of human error, and the lack of real-time visibility of what is happening right here, right now, on the frontlines. Managing compliance to policies and procedures with logbooks, checklists, and manuals is exposing operations to increased risk of incidents, accidents and disasters.

With today's evolving threat landscape and the increasing complexity of risks, critical infrastructure security, both physical and cyber, is crucial. One difficulty security leaders at critical infrastructure sites face is the inherently dangerous nature of the work and atmosphere. Video surveillance enables stakeholders to oversee daily activities and confirm that both, security is maintained and that safety protocols are followed. Lack of robust infrastructure at sites continually proves challenging for these organisations coupled with increasingly complex compliance requirements. To meet these requirements and demand, organisations are accelerating the deployment of sensors, but these devices also increase the burden in operations centres with ‘noise’. While a remote security-as-a-service offering can also be beneficial for these environments, a holistic look at the programme for ways to reduce the sensor noise is essential. In the interim, managed service operations centres provide the security intelligence that critical infrastructure sites need, made possible by the Cloud.

Threats to critical infrastructure run the gamut: malware attacks, natural disasters, physical breaches of perimeters, terrorist activities and more. The main security challenge is the rise of connectivity and remote operations, long in the making but accelerated by the pandemic which has seen us become increasingly reliant on connected devices. Critical infrastructure has embraced the IoT and opened itself up to more points of potential malicious attacks – physical and cyber. And historically, the bad actors who perpetrate such attacks only become more sophisticated over time, making security innovation critical. Video can help solve these challenges. There is new video technology that can capture and deliver the rich data that propels more accurate awareness and better application of deterrence measures. With video, organisations can minimise or even eliminate false alarms, by establishing more precise regions of interest in 3D space and detecting and classifying threats with better accuracy in all conditions.

The risks surrounding critical infrastructure are myriad, ranging from natural threats like fire, earthquakes and tsunamis, to man-made threats like unrest, tampering, terrorism, and espionage. There are also accidental and technical threats to consider, such as safety systems, hazardous material and power-grid failures. Each risk requires a unique approach. Luckily, technological advances are making it easier for security teams to remain on-top of the many evolving threats. These include 24/7 intelligent video monitoring, access control, thermal detection, artificial intelligence (AI), facial recognition, PPE recognition, behaviour monitoring and automated patrolling. Combining best-in-class technologies to tailor security to each site ensures critical infrastructure remains protected and future-proofed. It can be adapted to multiple areas, different risks, and different needs (like protecting hard-to-reach areas and working remotely). As technology like AI advances, the security technology available will become more sophisticated as the new technologies will keep enhancing the physical security manager's response times.

The protection of critical infrastructure is always a significant challenge. At the core of delivering successful security is the need for the organisation or asset to prioritise risks that are likely to be faced. Once this is established, a range of personnel, cyber, and physical security control measures can be put in place to reduce vulnerability to those risks, and their impact on the subject organisation/asset. Control measure and monitoring systems should be employed to ensure that access to buildings, information, and assets can only be granted to people relevant to their role. Control is very much the operative word here. The challenges are not just protection or hardening/mitigation against physical attack, but more and more these days, the protection of access to business information and control systems from cyber threats - such as the recent Solar Winds Hack.

The rapid gains technology has made in everyday life have changed how the security industry operates. Physical security has moved from being direct inputs and outputs to being always-connected devices. This new direction makes the industry part of the Internet of Things (IoT) world. Of course, this leads to the question: How does physical security protect itself from cyber vulnerabilities? For security leaders, it is critically important to choose equipment from reliable suppliers that have a knowledge and interest in cyber security, and are focused on protecting data and the connected sensors that provide it. When a security system is designed from the ground up to protect against cyber-attacks, the organisation will be in a much better place. We should be open and transparent in exposing and reporting vulnerabilities. Keeping systems updated, changing passwords, providing employee training, safeguarding facilities through firewalls, and following best network maintenance practices can avoid attacks.

Critical infrastructure organisations operate in challenging, fast-moving environments in which opportunities, requirements, and regulations can vary widely, change quickly, and evolve significantly over time. With the rise of the digital revolution and the demand for data to improve insight, stakeholders need to find new ways to capture data, correlate it as needed, and then leverage it to make informed decisions. Software platforms are being used to provide a single pane-of-glass view that allows operators to gain critical insight into operations. By collecting intelligence from digital sensors, such as video surveillance cameras, open-source Web intelligence, building systems, mobile devices, and more, operators can detect potential risks and manage and respond to situations more efficiently. By creating a single enterprise-wide view across disparate systems and technologies, organisations improve response times, lower operational costs, and increase employee safety. The right technology, strategic partnerships, and enhanced situational awareness can implement a proactive approach.

The challenges are considerable, due to the size of the security estate and the multiple integrated technologies. For every second that a critical incident is not managed and closed out, the risk and associated costs increase. The sheer volume of video channels and integrated alarms from systems such as Advanced Analytics, ANPR, PID’s and Intercoms results in a vast amount of data being presented to an operator which can be extremely challenging to manage. In this type of environment, Software User Interface that can direct and instruct the operator will always be quicker than human cognition. Critical security infrastructure has to be relied upon 24/7. System resilience is, therefore, essential and needs to be achieved at every component level, from NVRs to integrations and alarms. Ultimately, to fully support resilience, security systems for critical infrastructure should have no single points of failure and be geographically independent.