An Infrastructure Plan in the 21st Century Needs to Address Cybersecurity
U.S. President Trump is expected to discuss his long-awaited infrastructure plan in tonight’s State of the Union address, but we should not expect full details for a few more weeks. The focus on upgrading our roads, bridges, tunnels and other physical infrastructure is welcome. But we need to do more than address these weak brick-and-mortar foundations. A real 21st century infrastructure plan needs to integrate digital infrastructure into physical upgrades and invest in innovative technologies that will keep America globally competitive and secure.
Today, it’s just a fact that the technology which makes things like education and healthcare more accessible to more Americans – the rise of cloud, mobile and IoT – also makes us more vulnerable to cyberattacks. The stakes could not be greater, particularly when it comes to our critical infrastructure.
Cyberattacks on critical infrastructure are rising
The U.S. Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) recently detected coordinated efforts by malicious actors to compromise our critical infrastructure, including those organizations involved in government, aviation, power production, energy production and critical manufacturing sectors. Further, the U.S. Department of Energy reported last year that America’s electricity infrastructure was in “imminent danger” from cyberattacks that are “growing more frequent and sophisticated.”
It’s no surprise that cyberattacks on critical infrastructure are rising. Organizations in the sector are high-value targets because they’re weakly defended systems that, if hacked, could help disrupt a network of utilities or oil and gas companies, potentially cutting off essential public services such as electricity, gas and water.
Ensuring security of critical infrastructure requires collaboration
So, how can the federal government ensure the security of critical infrastructure in the implementation of a broader infrastructure plan?
For starters, government regulators need to work with industry to develop standards. For example, the Federal Regulatory Commission (FERC) proposed new rules to protect the power grid from cyberattacks and the U.S. Department of Commerce is expected to issue an update to its cybersecurity framework for critical infrastructure early this year. These are both laudable steps.
But, in an environment where attacks are probable more than possible, early detection is key. Every organization needs to proactively develop the tools and capability to rapidly respond and recover in the event of a breach or attack. That’s why Tenable recently began a partnership with global energy leader Siemens to help operators of critical infrastructure continuously monitor both their traditional IT environment and Industrial Control Systems (ICS) environment for indicators of compromise, proper configuration, the presence of vulnerabilities and changes of state to the endpoints.
The public and private sectors also need to work together to assess the security of critical infrastructure sectors and develop a risk-based approach to address it, similar to the widely successful NIST Cybersecurity Framework. More broadly, we need tech advocates in Congress like Reps. Will Hurd and Gerry Connolly to play a leading role in ensuring the latest technology and security solutions are seeded into proposals for new construction and upgrades.
Smart infrastructure investments must address digital infrastructure, too
The bottom line? If America is going to invest $1 trillion in our infrastructure, it must include significant investments in digital infrastructure, so that we can take advantage of new innovations which will save lives, boost our economy and protect against the cybersecurity threats posed by a more connected society.
Related Articles
Securing IT-OT Environments: Why IT Security Professionals Struggle
December 6, 2021When providing cybersecurity in converged IT and operational technology environments, it’s critical for infosec pros to understand the differences between the two and utilize a toolset that delivers a comprehensive picture of both in a single view.
CISA Directive 22-01: How Tenable Can Help You Find and Fix Known Exploited Vulnerabilities
November 10, 2021While U.S. federal agencies are required to remediate the vulnerabilities outlined in the U.S. Cybersecurity and Infrastructure Security Agency's Binding Operational Directive 22-01, any organization would do well to consider prioritizing these flaws as part of their risk-based vulnerability management program.
How to Choose an OT Cybersecurity Solution Vendor
November 4, 2021Hint: choose a leader in ICS security.
CloudImposer: Executing Code on Millions of Google Servers with a Single Malicious Package
September 16, 2024Tenable Research discovered a remote code execution (RCE) vulnerability in Google Cloud Platform (GCP) that is now fixed and that we dubbed CloudImposer. The vulnerability could have allowed an attacker to hijack an internal software dependency that Google pre-installs on each Google Cloud Composer pipeline-orchestration tool. Tenable Research also found risky guidance in GCP documentation that customers should be aware of.
Cybersecurity Snapshot: Russia-backed Hackers Aim at Critical Infrastructure Orgs, as Crypto Fraud Balloons
September 13, 2024Critical infrastructure operators must beware of Russian military hacking groups. Plus, cyber scammers are having a field day with crypto fraud. Meanwhile, AI and cloud vendors face stricter reporting regulations in the U.S. And get the latest on AI-model risk management and on cybersecurity understaffing!
Microsoft’s September 2024 Patch Tuesday Addresses 79 CVEs (CVE-2024-43491)
September 10, 2024Microsoft addresses 79 CVEs with seven critical vulnerabilities and four zero-day vulnerabilities, including three that were exploited in the wild.
- Energy Industry
- Federal
- Government