Critical Infrastructure

What is Critical Infrastructure?

Critical infrastructure (CI) encompasses all assets, systems, and networks—both physical and virtual—that are vital to the proper functioning of a society’s economy, national public health or safety, security, or any combination of these factors. This broad definition includes various sectors crucial for sustaining a nation’s well-being, security and operational resilience.

Examples of CI sectors may include:

• Food and agriculture
• Transportation systems (e.g., roads, railways, highways, airports)
• Internet and mobile networks

CI is essential for meeting basic living needs. While it shares similarities across nations, the specific infrastructure considered CI can vary based on a nation’s unique needs, resources, and level of development. In the United States, much of this physical and digital infrastructure is owned and operated by the private sector, although some is owned by Federal, state, or local governments.

Attackers target CI to disrupt services, for financial gain from ransomware, or to pre-position themselves within a CI networks and systems for future operational attacks. Most often, attacks occur for political or economic reasons with attackers aiming to influence change by causing operational interruption or damage, compromising safety, and/or bringing on financial losses.

The first known power outage caused by a malicious attack occurred in December 2015. That is when attackers hit three utility companies in Ukraine with the BlackEnergy malware, leaving hundreds of thousands of homes without electricity for six hours.

In January 2024, a pro-Russia hacktivist group remotely accessed industrial control systems via control interfaces at two Texas water facilities and tampered with their water pumps and alarms, causing water to run past designated shutoff levels and overfill storage tanks.

What Are Critical Infrastructure Sectors?

In the US, CI is divided into 16 sectors, each essential to the nation’s functioning. Guidance for the definition and management of these sectors comes from Presidential Policy Directive 21 (PPD-21), with risk coordination overseen by the U.S. Department of Homeland Security (DHS) through the Cybersecurity & Infrastructure Security Agency (CISA). The 16 sectors per CISA, include:

Energy

The Energy sector protects a multifaceted web of electricity, oil, and natural gas resources and assets to maintain steady energy supplies and ensure the overall health of the nation.

Water and Wastewater Systems

This sector includes approximately 152,000 public drinking water systems and more than 16,000 treatment systems.

Transportation Systems

This Sector consists of seven key subsectors, or modes: Aviation, Highway and Motor Carrier, Maritime Transport, Mass Transit & Passenger Rail, Freight Rail, Pipeline Systems, Postal & Shipping.

Food and Agriculture

The Food and Agriculture Sector of the U.S. is almost entirely privately owned and composed of an estimated 1.9 million farms, over 700,000 restaurants, and more than 220,000 registered facilities in food manufacturing, processing, and storage.

Healthcare and Public Health

This Sector protects all sectors of the economy from hazards such as terrorism, infectious disease outbreaks, and natural disasters. The vast majority of the sector’s assets are privately owned and operated.

Emergency Services

The Emergency Services Sector (ESS) maintains public safety and security, performs lifesaving operations, protects property and the environment, and assists communities impacted by disasters.

Chemical

The Chemical Sector, an integral component of the U.S. economy, manufactures, stores, uses, and transports potentially dangerous chemicals on which other CI sectors rely.

Commercial Facilities

The Commercial Facilities sector protects a diverse range of sites that draw large crowds of people for shopping, business, entertainment, or lodging.

Critical Manufacturing

The Critical Manufacturing sector includes four major sub-sectors of manufacturing:

• Primary Metals Manufacturing
• Machinery Manufacturing
• Electrical Equipment, Appliance, and Component Manufacturing
• Transportation Equipment Manufacturing

Dams

The Dams Sector delivers critical water retention and control services in the U.S., including hydroelectric power generation, municipal and industrial water supplies, agricultural irrigation, sediment and flood control, river navigation for inland bulk shipping, industrial waste management, and recreation.

Defense Industrial Base

The Defense Industrial Base Sector is the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.

Financial Services

This sector includes thousands of depository institutions, providers of investment products, insurance companies, other credit and financing organizations, and the providers of the critical financial utilities and services that support these functions.

Government Services and Facilities

The Government Services and Facilities Sector includes a wide variety of buildings, located in the United States and overseas, that are owned or leased by federal, state, local, and tribal governments. Many government facilities are open to the public for business activities, commercial transactions, or recreational activities while others that are not open to the public contain highly sensitive information, materials, processes, and equipment.

Information Technology (IT)

The IT Sector produces and provides hardware, software, and IT systems and services, and—in collaboration with the Communications Sector—the Internet.

Communications

The private sector is primarily responsible for protecting the Communications sector infrastructure and assets. CISA helps the sector predict, anticipate, and respond to sector outages.

Nuclear Reactors, Materials, and Waste

The Nuclear Reactors, Materials, and Waste Sector covers most aspects of U.S. civilian nuclear infrastructure. They range widely, from the power reactors that provide electricity to millions of Americans, to the medical isotopes used to treat cancer patients

In Europe, CI sectors are defined by the European Programme for Critical Infrastructure Protection (EPCIP), aligning with EU COM(2006) 786. In the United Kingdom, policy and preparedness for CI are monitored by the National Protective Security Authority (NPSA).

While assets and regulatory landscapes may vary, there is a broad consensus among members of the Organization for Economic Coordination and Development (OECD) on common CI sectors, policies, and loose frameworks. This agreement highlights the shared recognition of the importance of safeguarding CI despite the diverse assets and evolving regulatory requirements across different countries.

Understanding the Role of Compliance in Critical Infrastructure

Compliance plays a crucial role, where governments and regulatory bodies have intervened to establish guidelines and mandates aimed at ensuring best security practices and CI resilience. Several existing and proposed regulations from the EU and the U.S. have global implications for CI security and operational resilience.

The EU directives include EU-NIS (European Union Network and Information Systems) Directive and the EU-NIS2. The U.S. directives include the DFARS (Defense Federal Acquisition Regulations Supplement) and the U.S. NERC-CIP (North American Electric Reliability Corporation Critical Infrastructure Protection). Following are summaries of the four directives.

Important EU CI Directives

1. EU-NIS Directive:
   The EU-NIS Directive, proposed in 2013 and enacted in August 2016, focuses on achieving a high common level of security for CI across European Union member states. It sets goals to improve national security capabilities, enhance cooperation between member states, and mandate operators of essential services (OES) and digital service providers (DSPs) to adopt appropriate security measures. Entities such as providers of electricity, transport, water, energy, healthcare, and digital infrastructure services fall under its scope. Noncompliance can result in substantial fines.
2. EU-NIS2 Directive:
   The EU introduced the EU-NIS2 Directive in 2022, put it into effect in 2023, and made it law in 2024. As Europe’s most comprehensive security directive, NIS2 continues and expands NIS “to build upon and rectify the deficiencies of the original NIS directive.”³ Specifically, NIS2 expands on NIS in three major ways:
   1. More affected sectors. NIS2 expands the number of covered sectors from 7 to15.
   2. Stricter requirements. NIS2 dramatically increases the requirements for enforcing security.
   3. Worse repercussions. NIS2 non-compliance can lead to heavy fines and legal ramifications for management teams.

Important U.S. Critical Infrastructure Directives, Laws and Proposed Legislation

1. NERC CIP:
   In the United States, CI industries are subject to industry self-regulation or government regulations specific to each sector. NERC CIP, focusing on security, stands out with more than 100 standards and requirements for safeguarding CI assets in the nation’s bulk electric systems. Noncompliance with NERC CIP standards can incur significant penalties, with the potential for fines of up to $1 million per day per violation. System availability takes precedence, influencing the choice of protection technologies and techniques used in CI.
2. DFARS:
   The Department of Defense (DoD) emphasizes the protection of federal infrastructure by requiring all contractors processing, storing, or transmitting Controlled Unclassified Information (CUI) to adhere to DFARS minimum security standards. NIST 800-171 provides a framework for companies conducting business with the DoD to safeguard CUI. Compliance is crucial for maintaining DoD contracts, representing a significant portion of many companies’ annual revenue.
3. The Health Infrastructure Security and Accountability Act:
   This act, acronym HISAA, would amend the Health Insurance Portability and Accountability Act requirements and direct The Department of Health and Human Services (HHS) to build new “mandatory minimum cybersecurity standards for health care providers, health plans, clearinghouses and business associates” with a special focus on operations important to national security.⁴ This proposed legislation, together with the formation of the Joint Councils Leadership Coordination Working Group, underscores the US Government’s concerns about the security of U.S. infrastructure in the wake of multiple recent attacks on it. If passed, HISAA would direct HHS to create new minimum security standards for the sector and to conduct yearly audits of the sector entities that fall under the purview of HISAA rules.
4. Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA):
   This US federal law was signed in March 2022 and requires all critical infrastructure entities to report any cybersecurity and ransomware incidents to CISA within 72 hours. It was borne out of persistent attacks on CI in the U.S. and Russia’s war on Ukraine—which also targeted CI. Forescout Research – Vedere Labs reported on it very closely, including on the wide variety of threat actors and actions — and monitored later attacks on the energy sectors in Ukraine and Denmark. CISA officially published the Notice of Proposed Rule Making in the Federal register related to CIRCIA in April 2024.
   This video from CISA details the proposed rule:
   

What Are the Challenges to Critical Infrastructure Security?

The challenges to CI security have escalated with the rise of digital transformation, creating a more interconnected world where attacks pose significant threats to national security and operational resilience. For example, major attacks on specific CI, such as the water supply or power transmission can rattle business activity and adversely affect the health of citizens. In 2021, the ransomware attack on the Colonial Pipeline shook many in the Eastern part of the U.S. CISA describes it how the attack “captured headlines around the world with pictures of snaking lines of cars at gas stations across the eastern seaboard and panicked Americans filling bags with fuel, fearful of not being able to get to work or get their kids to school.”

The interconnectivity within networks, spanning governments and trusted third-party vendors, exposes CI to potentially devastating attacks. These sophisticated attacks not only put these systems at risk but also can facilitate espionage, intellectual property extraction, and compromise networks for future exploits.

Despite the crucial need to protect CI, businesses face several challenges in implementing security for CI.

• Complexity: CI systems are often complex and interconnected, making them vulnerable to sophisticated threats. Their interconnectedness leads to a large attack surface, enabling a breach to spread quickly across multiple areas. With many of the interconnected systems having legacy parts from different vendors, IT finds them difficult to manage and secure. The complexity also hinders an organization from responding to an attack or breach in a coordinated way, leaving some areas more exposed than others.
• Legacy Systems: Many CI sectors still rely on outdated technologies that may lack robust security features (I.e. real-time monitoring, advanced threat detection, etc.). The incompatibility between newer technologies and legacy systems limits visibility across the broad attack surface, making threat detection and response incomplete. Moreover, even basic tasks like patching do not happen easily with many legacy systems. Product developers never envisioned the need to do so.
• Regulatory Compliance: Different sectors of CI may be subject to multiple regulations. Sometimes these regulations overlap and sometimes they conflict with one another, forcing additional complexity onto IT and security teams. The compliance burden will only continue to grow as regulations expand, such as NIS2 adding over NIS eight additional industry sectors covered by the NIS2 directive.
• Resource Constraints: Limited budgets, a lack of highly skilled security personnel, the need for new technology spending, and time constraints can make implementing comprehensive security seem nearly impossible, especially with the continuous rapid advances in the threat landscape. When legacy systems are part of the CI mix, IT and security teams often must dedicate significant resources to developing interfaces between them and newer systems. But attackers will not wait, leading the ill-equipped organizations to fall further and further behind evolving threats.

Choosing the Right Critical Infrastructure Security Vendor

When selecting a CI cybersecurity vendor, it’s essential to consider attributes that align with the unique challenges and operational requirements of these environments. Here are key factors to look for in a security solution for CI:

• Non-Disruptive Asset Discovery: Prioritize solutions that perform non-disruptive asset discovery, as CI operates 24/7. Active techniques with the potential to take equipment offline should be avoided. Passive techniques for asset discovery and classification enable the building of an accurate, foundational inventory of asset intelligence.
• Agentless, Vendor-Agnostic Operations: opt for solutions that operate without agents and are vendor-agnostic. CI environments often have a mix of equipment from different vendors with varying levels of IT functionality. A solution that works across all device types and vendors, even those not relying on the 802.1X protocol, is crucial for flexibility and cost-effectiveness.
• Focus on IT Layers and Continuous Monitoring: Look for solutions that focus on IT layers where most security risks occur in CI. Continuous monitoring is essential to provide real-time device intelligence and status updates. An effective solution detects anomalous activities and takes appropriate action based on predefined security policies.
• Risk-Mitigating Controls and Compliance on Demand: The chosen solution should identify and classify devices upon network connection, ensuring compliance with security policies without interrupting devices. This approach follows best practices for securing network devices while maintaining the availability of critical systems.
• Integration and Orchestration Capabilities: Prioritize solutions that can be integrated and orchestrated with other security vendors’ solutions. In heterogeneous environments with multiple security products, coordination and interoperability are crucial for organization-wide security responses. A vendor with a broad partner network enables accelerated response, operational efficiencies, and superior security.
• Scalability to Millions of Assets, Devices, and Sensors: Considering the expanding number of IoT and OT devices in critical infrastructure, choose a solution that can scale to millions of devices in a single deployment. Scalability ensures that the solution can effectively handle the growth of devices without compromising performance.

By focusing on these considerations, organizations can select a security vendor that aligns with the specific needs and challenges of CI, providing robust protection while maintaining essential operations.

How Forescout Can Help Secure Critical Infrastructure

Few security technology solution providers understand CI and operational technology the way Forescout does. We have many government and CI customers, including The U.S. Department of Defense and other U.S. Federal agencies – as well as other CI organizations globally. They trust our technology to monitor CI and OT/IoT devices that access CI, detect threats to operations, and assess the risks of the most remote and critical sites.

As a primary technology in major Federal programs, such as Continuous Diagnostics and Mitigation (CDM) and Comply to Connect, Forescout helps government IT, OT and security professionals protect data, secure access to government resources, manage risks, and demonstrate compliance for Federal agencies and other public-sector entities. We provide a multi-layered defense capability to help CI organizations better manage risk and reduce potential harm.

Dedicated to fortifying critical infrastructure security, Forescout offers continuous, real-time asset intelligence and visibility within Industrial Control and Operational Technology Systems. It seamlessly generates detailed network maps, organizing devices by roles or networks. An innovative risk management framework prioritizes strategies that proactively identify vulnerabilities in Operational Technology devices and protocols.

This proactive solution actively monitors network communications, swiftly identifying threats through a security risk scoring system. Leveraging deep packet inspection and continuous policy monitoring, it maintains a vigilant stance against evolving threats. Ensuring compliance with the NIST Cybersecurity Framework, it elevates maturity levels across key functions, encompassing asset identification to rapid response.

In capturing comprehensive device details, including network addresses and vendor information, our solutions foster well-informed decision-making. Automatic assessments of vulnerabilities, threat exposure, and operational issues empower proactive risk management. Operational risk scores and an Industrial Threat Library rapidly pinpoint assets needing attention, establishing a robust defense against threats and operational attacks in critical infrastructure environments.

Fortify your critical infrastructure and stay ahead of new risks and regulations. Schedule a personalized demo today.

¹ Allianz. Cyber attacks on critical infrastructure, June 2016. Accessed December 17, 2024 from the following source: https://commercial.allianz.com/news-and-insights/expert-risk-articles/cyber-attacks-on-critical-infrastructure.html
² Office of the Director of National Intelligence, Recent Cyber Attacks on US Infrastructure Underscore Vulnerability of Critical US Systems, November 2023–April 2024. Recent Cyber Attacks on US Infrastructure Underscore Vulnerability of Critical US Systems, November 2023–April 2024 (dni.gov)
³ The NIS2 Directive. What is NIS2? Accessed December 18, 2024 from the following source: https://nis2directive.eu/what-is-nis2/#:~:text=Introduced%20in%202020%2C%20and%20recently,previous%20EU%20cybersecurity%20directive%2C%20NIS
⁴ David DiMolfetta, Nextgov/FCW. New bill seeks to mandate healthcare cybersecurity standard, September 26, 2024. Accessed December 18, 2024 from the following source: https://www.nextgov.com/cybersecurity/2024/09/new-bill-seeks-mandate-healthcare-cybersecurity-standards/399864/