Protecting critical infrastructure and associated challenges was a recurring theme during (ISC)² Security Congress 2021 , which took place virtually from Monday to Wednesday this week. It was the subject of various sessions and came up during a keynote session delivered by Chris Krebs , former director of the Cybersecurity and Infrastructure Security Agency (CISA).

Krebs said critical infrastructure needs to be hardened against foreign adversaries that might have an interest in disrupting it at some point. CISA and other agencies are working to come up with standards and practices for infrastructure security. And they are looking for input from the cybersecurity industry.

One of the main challenges with securing critical infrastructure is the move to connect IT and operational technology (OT), which often involves also connecting to Industrial Internet of Things (IIoT) networks and cloud infrastructures. One of the biggest fears is that combining physical and cyber assets through OT/IT convergence creates new risks for OT, which is then subject to the same cyber threats as the other systems.

CISA wants to hear from cybersecurity and IT professionals about the challenges they face in securing all of these systems, Bradford Willke, CISA’s senior advisor for cyber-physical convergence, said during a Tuesday morning session.

Importance of Visibility
Using examples such as the recent ransomware attacks on JBS and the Colonial Pipeline, Willke stressed the importance of visibility into systems that combine physical operations and IT networks. With better visibility, he said, organizations will be able to more quickly identify when an attack is taking place and where. That will help them respond more quickly with actions such as shutting off the parts of the environment under attack.

Another step toward better security, he said, involves the concept of consequence-driven Cyber-informed Engineering (CCE). This approach calls for assessing environments to foretell the impact of cyberattacks so that strong defenses can be put in place.

Willke framed his remarks in the context of cyber-physical systems security, which deals with the protection of physical systems and IoT devices used in connected cars, medical devices and smart grids. IoT systems use networked systems with embedded sensors, processors and actuators that interact with the physical world and support real-time, critical applications.

“We really need to apply good integrated security management,” Willke said. “We need to apply the best of our cyber-physical security controls into our planning and training and exercising. We need to bring them into our operations and sit cyber and physical subject matter experts and practitioners next to each other.”

Cyberattacks on critical infrastructure can have major consequences, including physical damage to critical systems. As Lori Ross O’Neil, senior cyber security engineer at the Pacific Northwest National Laboratory and (ISC)² Board of Directors vice chairperson, explained during a Wednesday morning session, attacks on power and energy-generating assets can cause fires, explosions and release of toxic materials from the EGA or its substation.

With that in mind, O’Neil said, organizations’ cybersecurity requirements should be included in the bidding and contract processes for the procurement of energy systems. That means including cybersecurity experts in creating the language for bid requests as well as the review and selection of vendors.