Critical infrastructure is so basic to how we live our daily lives that we don’t even think about it. Yet safeguarding it is essential to our national well-being.
describes the physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety. The nation's critical infrastructure provides the essential services that underpin American society.
In this blog post, I’ll discuss:
- Our current perimeter defense;
- The need to shift to a data-centric security approach; and,
- The need to educate the public to strengthen our critical infrastructure security posture.
Much of today’s cybersecurity focuses on maintaining a perimeter defense -- not letting malicious actors into the security boundary. The premise is solid, but, there are unfortunately many methods to penetrate a perimeter defense. Some of these include:
- Advanced persistent threats (APTs);
- Insider threats;
- Social engineering; and,
- Human error.
If we focus primarily on perimeter defense, we will continue to see data breaches and exposure to our critical infrastructure. This problem is magnified by the adoption of newer technologies, such as cloud, big data, internet of things (IoT), software containers and other transformative technologies that make defining a perimeter much more difficult. Perimeter defense, while necessary, is not enough to protect our sensitive data.
If perimeter defense is not enough, how do we protect our critical infrastructure?
The Report to the President on Federal IT Modernization recommends we shift our cyber defense to a data security focus:
Rather than treating Federal networks as trusted entities to be defended at the perimeter, agencies should shift their focus to placing protections closer to data, specifically through improved management and authentication of devices and user access, as well as through encryption of data – both at rest and in transit. This approach curtails an attacker’s likelihood of gaining access to valuable data solely by accessing the network, and it has the potential to better block and isolate malicious activity. As agencies prioritize their modernization efforts, they should implement the capabilities that underpin this model to their high value assets first.
This method of placing protections closer to the data secures sensitive information and critical infrastructure against perimeter breaches and insider threats.
Continuous Diagnostics and Mitigation (CDM)
Because this datacentric approach to cybersecurity is so effective, Congress established the CDM program to provide a strong, consistent cyber defense to protect more than 70 civilian agency networks. CDM will provide these agencies with tools that:
- Identify cybersecurity risks on an ongoing basis;
- Prioritize these risks based upon potential impacts; and,
- Enable cybersecurity personnel to mitigate the most significant problems first.
The Vormetric Data Security Platform
A significant portion of the CDM effort highlights the requirements for a data-centric approach for cyber protection. The Thales Vormetric Data Security Platform offers comprehensive solutions that help government agencies address these requirements as highlighted in the Thales whitepaper Addressing Continuous Diagnostics and Mitigation Requirements.
With the Vormetric Data Security Platform, agencies can establish strong safeguards around sensitive data. The Vormetric solution offers the controls required to ensure only authorized users can gain access to sensitive data at rest. It can secure unstructured data, including documents, spreadsheets, images, web pages and more. The solution can also secure structured data, such as fields in databases and applications that contain personally identifiable information, protected health information, mission data and other sensitive records no matter where they reside.
The final step to safeguarding our nation’s critical infrastructure is to educate the workforce across the nation that operates and maintains this infrastructure about the importance of good cyber hygiene. It is imperative to maintain a continued campaign to help our people understand their role in protecting both physical and digital environments by outlining a strong physical and cyber risk management plan. Some simple but effective security education includes:
- Questioning unrecognized people in the workplace and not allowing unidentified personal in without proper authorization;
- Removing smartcards or locking their computers when not using the system;
- Not clicking on links in emails that are not the norm and training staff to learn to understand what suspicious emails look like; and,
- Reporting suspicious activity either physical or digital.
The custodians of our critical infrastructure need to understand that their individual actions play a significant part in the larger security posture of the nation as well as their personal and professional lives. This starts with a basic design that security comes first and that a “trust but verify” mentality needs to occur with every action. It is everyone’s responsibility to make sure that they treat security as a priority in their day-to-day lives.
Going Forward: Perimeter + Data Centric Security
There is no silver bullet to protect our Nation’s critical infrastructure, but following the guidelines above should significantly help. It is clear that perimeter defense is still necessary, but it is not enough. A data-centric approach will significantly reduce the threat landscape moving forward and strengthen our Nation’s security overall.