Critical Infrastructure

CRITICAL INFRASTRUCTURE

Exploring New Networking and Cybersecurity Strategies

This page is based on the article published December 2023. Click here. This page will continue to be developed to include new choices as they mature.

The definitions of Critical Infrastructures covered by the U.S. Government’s Cybersecurity Infrastructure and Security Agency (CISA), reveal the mind-bending breadth of its scope. What distinguishes the categories defined is the impact on wide areas of the population or on specific communities, “… should any of these infrastructures be incapacitated or destroyed.”

This page examines how evolving and related networking, security and business models create challenges and decisions for specific critical infrastructures. Instead of attempting to boil this ocean we address three important areas common to implementors and operators. They are:

- Network ecosystem evolution – Network as a Service
- Operational network business and security
- Security – the basics that are still constantly ignored leading to high profile incidents

The Context: Distinguishing Critical Infrastructures

Looking at CISA’s list below, you will see why it‘s beyond this page’s scope to go into detail of any of the 16 sectors or 70+ interrelated sub- sectors served more than 80% by non-government organizations. These are covered in detail on the CISA site.

We have split the list into two groups. The first being where the effect is immediate and rapid response is most critical. The second group has less immediate impact but is also critical.

All are costly undertakings but what distinguishes the first group is that disablement is so much more impactful than even business cost. Making such infrastructures resilient to incapacitation encompasses architectural choices, holistic approaches, threat avoidance, prevention, and automated recovery. Some areas such as “smart cities” pharma companies are not covered but are also critical. The Dallas municipality cyberattack impacting the whole community comes to mind. Those relying on IoT/IIoT devices requiring phys- ical device security are especially vulnerable and open to human error.

Caution is required when looking at approaches based on thinking that predates Cloud proliferation, modern IoT systems, distributed workforces, connected sup- ply chains, current network infrastructures, COVID-19 and state-sponsored cyberattack.

CISA-Defined Sectors	Sub-Sectors Where Very Fast Response Is Required to Protect Life Include
Communications	Undersea, satellite & terrestrial, dedicated & Internet networks. 5G, fiber, microwave & copper, access networks, Wi-Fi
Dams	Management, water retention, control, and energy conversion systems, etc.
Defense	Location infrastructure systems, communications systems
Emergency services	Law enforcement, fire, rescue, emergency medical services
Energy	Electrical generation, grid systems, oil refineries, pipelines, natural gas, wind, solar
Financial services	Financial management, money storage, transfers
Information technology	IT systems, data center, Cloud, edge, applications software, networks
Nuclear sector	Active, test reactors, medical products & waste management
Transportation systems	Aircraft, traffic control, airports, highways & traffic management, road delivery & hazardous material transport; rail passenger, freight networks, stations

CISA-Defined Sectors	Sub-Sectors Where Measured Response Is Required
Chemical	Basic, specialty, agricultural, consumer products
Commercial facilities	Entertainment, lodging, malls, outdoor events
Critical manufacturing	Machinery, electrical & transportation equipment
Food and agriculture	Farming, food distribution, retail stores
Government facilities	Federal, state, local government education, law offices
Healthcare, public health	Hospitals, epidemic prevention & treatment, etc.
Water and wastewater	Capture, purification, storage, distribution of water & wastewater

Reported Recent Threats by Sector	Recently reported Critical Infrastructure events: Q4 2023 More to follow here.
Commercial facilities: Hotels & Casinos	MGM Resorts . Sept/October 2023
Transport: Rail Security	Rolling stock security by Siemens
Transport: Aircraft	Fears of aircraft system penetration
Transport: Rail Security	TSA revises rail cybersecurity
Health Care	McLaren Health Care data breach impacts 2.2 million people
Water	Philadelphia Water Treatment. Internet connected IoT devices attacked by threat actors.
Transport: Shipping	Australian ports hit
Energy: Nuclear sector	Breach of 5700 employee credentials at US Nuclear facilitiy
Telecommunications:	Escalating Global Risk Environment for Submarine Cables

This section will be expanded to highlight and reference Critical Infrastructure threats and developments as they occur.

Critical Decisions:
Business Needs for Network as a Service

Changes driven by focus on their mission-critical applications are required by enterprises. They no longer have the resources or time to build handcrafted, complex networks.

These requirements include:

On-demand, services purchased via portals, consumption- based billing without lock-in.
Seamless access to multi-Cloud workloads and apps located
Agnostic to infrastructure technologies and providers, performance, and security sensitive.
Business aware to cope with M&A, policy shifts and
Integrity of real-time operational networks that serve its

2024 will decide how critical infrastructure organizations will reshape their networks based on how Cloud/Service Providers and Supplier/Integrators respond to these needs.

Enter the new Network as a Service. Services offered will vary to match the capabilities and end user organizational requirements, resources, and capabilities. New forms of Managed Services, Infrastructure as a Service and Platform as a Service will help end users feel secure in delegating to their various partners. It will be essential to always look beyond the marketing jargon to verify that functions offered actually meet your needs without having to pay for service functions that you do not want. This work is being developed within ONUG.net’s NaaS working group.

What will the likely next phase of the network look like?

This shift is shown in Figure 2 but all the providers and integrators will market their own version reflecting their positioning. The important thing is the shift that began with data center centric to Cloud and network ecosystem is beginning its journey to a new Network as a Service model. This will be inherently more secure than the everything-to-everything connectivity with almost unlimited attack surfaces.

Marrying Business and Network Requirements

These changes will shape how applications and networks are architected and managed, shielding enterprises from the implementations. Three important decisions to be addressed are:

Will new architectures meet the business drivers with system integrity and save OpEx cost?
Can this architecture avoid insecure connection to IoT devices via Internet, Cloud-based or other servers beyond the operational networks?
Companies such as Cisco/Splunk, Zscaler, and Verizon will play important roles here, but inspection of the actual functions offered will be important.

Critical Decisions:
Critical Infrastructure Operational Integrity

Some more practical considerations:

As National Transport Safety Board chair Jennifer Homendy said earlier this year of the Ohio rail incident: there is no such thing as accidents and it was 100% preventable. Was this a system and networking failure? Having a trackside generated alarms-only based system not an alert and alarm threshold system with no single point of network failure was a recipe for the disaster that happened. I would hope that after-the-fact other ideas were explored.

Fiber optic networks are expanding, yet the pace of implementation is too slow and the prospect of $60k to $80k per mile fiber installation is daunting. Without commercial viability, critical infrastructure systems cannot function, no matter how severe the impact of their incapacitation.

To address both concerns, adoption of the latest hybrid fiber-copper infrastructure in airport, Smart City, and rail network infrastructures is growing. Fiber/copper can now transmit at fiber speeds, can be instantaneously available as copper is often already in place, provide failover with fiber installations, and provide power for remote monitoring devices. This was addressed in the context of expanding broadband network reach with Actelis in the ISE Magazine article published a year ago. This important trend is of great benefit throughout critical infrastructures.

Cybersecurity Evolution

The migration to Cloud and hybrid models is a two-edge sword, creating new attack surfaces and Internet connectivity. The days of defending the data center as the principal concern of cybersecurity are long gone. Applying the Zero Trust principles of “Never Trust, Always Verify” in the network, for software suppliers and in the organization is a necessity. Thanks to CISA and the SEC, this has become a corporate imperative.

Physical or virtual separation between Information and Operation Technology networks is a big step in the development and protection of your critical infrastructure.
Last but not least, Network as a Service has the potential to reduce the attack surface by harmonizing identity management and authentication. Importantly, it will also lessen the expertise and security work and cost for enterprises—a big advantage. However, it will never remove their overall responsibility to properly delegate to suppliers.

Critical Decisions:
Cybersecurity Best Practices

Almost every breach or ransomware attack can be traced back
to lack of board oversight, accountability, and lack of understanding
of holistic cybersecurity. That applies to security
software companies too! In fact, if IT-based defense is the only
defense, it ends in tears. The recent high profile MGM Resorts
incident likely had multiple weak links but began with lack of
board imperative and expertise and yes, hotels and casinos are
in the Commercial Facilities category

Basic Critical Actions to Reduce Risk

Ensure that all these are covered, strengthening weak links, and dramatically reducing risks.
A holistic cybersecurity approach for whole organization, contractors
and beyond. Have the board implement a security policy and step-by-step strategy to strengthen each weak link.
Curate all critical assets and test resilience. Encrypt all data, network configurations and customer info. Test air-gapped backups in case live data is rendered inoperable or re-encrypted.
Employ micro-segmentation to separate and protect data. Automate all software updates.
Access is via multifactor authentication using passkeys rather than usernames/passwords, verified with identity management and with no access from non-company devices.
Insider threat, social engineering strategies, training and least privilege access must be in place.
Installed phishing, malware, elevation of privilege, lateral movement prevention is in place.
Adopt Zero Trust principles of Identity and Authentication, access control, least privilege, automated monitoring including blocking of non-typical user behavior.
Be cybersecurity threat aware, map out avoidance and prevention
tasks, automate everywhere.
Know that all software (especially security software) is not trusted but verified using our Verified Delegation Methodology
Continually assess your security posture, measure progress, take new actions.
Comply with new SEC rules, with clear documentation
demonstrating your security policy is thorough and implemented.
See the “Security as a Service” page for many more details.