Is Our Critical Infrastructure Secure?

Is our critical infrastructure secure? In a word, no. Consider this statistic: 99%. That is the percentage of U.S. critical organizations that say they have security challenges. Personally, I want to know who that other 1% is and have a conversation with them, but we generally see this is a wide sweeping trend that is impacting every organization. From utilities, to railways, to hospitals, our critical infrastructure needs to be secured.

What Is Critical Infrastructure?

Before we take a closer look at the state of cybersecurity and our critical infrastructure here in the United States, let’s start by defining our critical infrastructure. Often, we will think of it as roads, bridges, and tunnels, which are in fact one key component. But there are actually 16 critical infrastructure sectors whose assets, systems, and networks are considered vital to the United States, according to the CISA (Cybersecurity and Infrastructure Security Agency).

These are the 16 critical infrastructure sectors in the United States:

1. Chemical
2. Commercial facilities
3. Communications
4. Critical manufacturing
5. Dams
6. Defense industrial base
7. Emergency services
8. Energy
9. Financial services
10. Food and agriculture
11. Government services and facilities
12. Healthcare and public health
13. Information technology
14. Nuclear reactors, materials, and waste
15. Transportation systems
16. Water and wastewater

Each of these plays an important role to keep the country humming along and, thus, a cyberattack would have a debilitating impact on the economy and public health and safety. Therefore, it is important to consider the threats, and the methods needed to strengthen and maintain secure and resilient critical infrastructure.

What Is the Risk?

To really grasp the state of the market, look at a recent report. Bridewell recently unveiled research that surveyed 519 employees responsible for cybersecurity at U.S. critical infrastructure organizations.

Here is what it found. Roughly 62% of critical infrastructure organizations across the federal government, civil aviation, energy, transportation (rail and road combined), and finance sectors have experienced a ransomware attack in the past 12 months. The most serious consequences are data theft and loss. Financial services organizations were most significantly affected.

Ransomware attacks have a big impact on critical infrastructure sectors. For instance, in aviation, downtime from an attack could cause major disruption to flights, while in financial services, failure to act could leave organizations falling short of strict compliance rules.

Looking beyond ransomware, we also are seeing growing phishing and malware attacks. On average, the five sectors faced 14 phishing attacks in the last year, along with 11 malware attacks.

Unfortunately, industries are slow to respond to cyber incidents. This particular research shows the responses to phishing attacks can take anywhere from 7.3 hours among federal government organizations to 15.94 hours among financial services entities.

Federal government organizations also have faster responses to terrorist threats (8.2 hours) than the other four sectors. In financial services, by contrast, responding to terrorism threats takes 14.89 hours, while in the civil aviation sector it takes 11.34 hours.

As of this writing, I think there is still a lot of scuttlebutt and noise surrounding the data breach of Social Security and personal data being stolen of some 2.9 billion people in the United States. This is more than just a little troublesome.

What Is the Solution?

Much needs to happen to secure our critical infrastructure. We need to align people, process, and technology to ensure our organizations are responding to threats quickly.

First off, we are seeing AI (artificial intelligence) can help. In fact, across the five sectors, 94% of organizations are using at least one AI-driven tool, which could include endpoint protection, automated incident response solutions, and network behavior analysis, just to name a few. On average, 65% of organizations from across the five sectors plan to increase their IT security spend compared to last year.

And yet, we also know we need the people to understand these threats. We know training will be critical to ensure the response time is swift and that the decisions made ultimately protect the customers, workers, the organization, and the critical infrastructure itself.

All of this can only be done with effective processes and policies. We need organizations to sit down and create a plan for how it will respond to cyber threats—because we know it isn’t a matter of if, but rather when these attacks will happen. If everyone is on the same page, response time will be faster, and the amount of damage will be less.

It is time to better understand the risks that exist specifically in your sector. What are these threat actors targeting? What information do they want from you? How can you protect it? And how can you create a program for what you will do when that attack does in fact happen? Let’s prepare today for a more secure tomorrow.

Want to tweet about this article? Use hashtags #IoT #sustainability #AI #5G #cloud #edge #futureofwork #digitaltransformation #green #ecosystem #environmental #circularworld #security #cybersecurity