November is Critical Infrastructure Security and Resilience Month. Recently, we shared tips for protecting each designated critical infrastructure sector:
Critical Infrastructure and Public Protection Strategies: Part 1
Critical Infrastructure and Public Protection Strategies: Part 2
In this blog post, we’ll look into what security and resiliency really mean for critical infrastructures such as water monitoring systems and emergency services. We’ll also examine how any organization, regardless of industry, can measure risk and improve its cyber defenses.
Start with infrastructure security
At CIS®, we encourage users to start secure and stay secure. But what does security really mean? For critical infrastructure sectors, security is defined by Presidential Policy Directive 21 (PPD-21):
The terms ‘secure’ and ‘security’ refer to reducing the risk to critical infrastructure by physical means or defense cyber measures to intrusions, attacks, or the effects of natural or manmade disasters.
Organizations can implement security in different ways, including both physical and cybersecurity measures. Examples include:
- Installing ID badge verification at doorways
- Using security fencing around buildings
- Deploying network monitoring
- Locking devices (such as laptops and cell phones) when not in use
Build with resilience
According to the same policy directive (PPD-21), critical infrastructure sectors should strive for resilience:
The term ‘resilience’ means the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.
As with security, there are both physical- and cyber-resilience strategies organizations undertake, such as:
- Having a backup power generator
- Developing a business continuity plan
- Building with materials appropriate to the area’s natural risks
- Implementing annual cybersecurity training for employees
Manage the risk
One key concept behind both security and resiliency is managing risk. PPD-21 explains that critical infrastructure “owners and operators are uniquely positioned to manage risks to their individual operations and assets, and to determine effective strategies to make them more secure and resilient.”
Cyber risks include DDoS attacks, malware, phishing scams, data breaches, and more. So how can critical infrastructure sectors and other organizations get prepared? To help organizations understand and mitigate cyber risks, we offer a free resource known as CIS RAM (CIS Risk Assessment Method). CIS RAM helps organizations conduct a cyber risk assessment and implement cybersecurity best practices found in the CIS Controls™. The method provides three pathways based on your organization’s experience with cyber risk:
- For organizations new to risk analysis, CIS RAM provides instructions for modeling threats against the CIS Controls.
- CIS RAM helps organizations more experienced with cybersecurity model threats against information assets.
- For cyber risk experts, CIS RAM offers instructions for analyzing risks based on “attack paths.”
The Road Ahead
Building organizational security and resiliency can be especially challenging when dealing with cyber threats. By conducting a cyber risk assessment, organizations can invest time upfront to ensure they are implementing informed policies and processes. This helps ensure security controls are effective against real-world threats. CIS RAM is one method to help organizations get started and assess against risk-based cybersecurity models.
FAQs
What are the 3 types of infrastructure security? ›
Access Control: The prevention of unauthorized users and devices from accessing the network. Application Security: Security measures are placed on hardware and software to lock down potential vulnerabilities. Firewalls: Gatekeeping devices that can allow or prevent specific traffic from entering or leaving the network.
What are the 5 areas of infrastructure security? ›- Chemical Sector.
- Commercial Facilities Sector.
- Communications Sector.
- Critical Manufacturing Sector.
- Dams Sector.
- Defense Industrial Base Sector.
- Emergency Services Sector.
- Energy Sector.
- #1: Get visibility of all your assets. ...
- #2: Leverage modern and intelligent technology. ...
- #3: Connect your security solutions. ...
- #4: Adopt comprehensive and consistent training methods. ...
- #5: Implement response procedures to mitigate risk.
The three interwoven elements of critical infrastructure (physical, cyber and human) are explicitly identified and should be integrated throughout the steps of the framework, as appropriate.
What are the 3 P's of security? ›Like a football or soccer team, security also has two lineups that must be continuously managed. One lineup involves protecting the digital assets and data of a business.
What are the 3 A's in security? ›Authentication, authorization, and accounting (AAA) is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services.
What are the 7 layers of security? ›- Information Security Policies. These policies are the foundation of the security and well-being of our resources. ...
- Physical Security. ...
- Secure Networks and Systems. ...
- Vulnerability Programs. ...
- Strong Access Control Measures. ...
- Protect and Backup Data. ...
- Monitor and Test Your Systems.
The four basic layers of physical security are design, control, detection, and identification. For each of these layers, there are different options that can be utilized for security. Physical security design refers to any structure that can be built or installed to deter, impede, or stop an attack from occurring.
What are the 6 types of security? ›- Access Controls. The act of restricting access to sensitive data or systems enables your enterprise to mitigate the potential risks associated with data exposure. ...
- Application Security. ...
- Behavioral Analytics. ...
- Firewalls. ...
- Virtual Private Networks. ...
- Wireless Security.
To illustrate dependencies among critical systems, let's take a more in-depth look at some of the most universally important infrastructure sectors – Communications, Energy, Transportation, and Water.
What are the 3 most important pillars of information security? ›
- Confidentiality — You need to know your data is protected from unauthorized access.
- Integrity — You have to be able to trust your data.
- Availability — You need to be able to access your data.
- Get connected. Building strong, positive relationships with loved ones and friends can provide you with needed support, guidance and acceptance in good and bad times. ...
- Make every day meaningful. ...
- Learn from experience. ...
- Remain hopeful. ...
- Take care of yourself. ...
- Be proactive.
- Have experts conduct an IT assessment/audit and planning. ...
- Create and enforce IT security policies. ...
- Enforce a strong password policy. ...
- Back-up your data. ...
- Always update your anti-virus software. ...
- Update workstations and software. ...
- Update your firewall.
- Always close and lock garage doors and windows.
- Be alert for unusual activities. ...
- Be careful about admitting strangers. ...
- Do not keep valuable items near windows with open drapes.
- Empty your mailbox or have someone empty it for you.
Also, the six elements are common to each process or function. These elements include business policies, business processes, people and organization, management reports, methodologies, and systems and data.
What are the five components of infrastructure? ›Hardware, software, data management technology, network infrastructure, and information systems comprise IT infrastructure components.
What are the example of critical infrastructure give at least 5? ›Critical infrastructure includes the vast network of highways, connecting bridges and tunnels, railways, utilities and buildings necessary to maintain normalcy in daily life. Transportation, commerce, clean water and electricity all rely on these vital systems.
What are the five fundamentals of security? ›- Provide early and accurate warning.
- Provide reaction time and maneuver space.
- Orient on the force or facility to be secured.
- Perform continuous reconnaissance.
- Maintain enemy contact.
Examples of infrastructure include transportation systems, communication networks, sewage, water, and school systems.
What are the basic elements of infrastructure and their importance? ›In an organization or for a country, a basic infrastructure includes communication and transportation, sewage, water, education system, health system, clean drinking water, and monetary system. A country's economic and social development is directly dependent on a country's infrastructure.
What are the most crucial infrastructure requirements? ›
“Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and government. They include, but are not limited to, telecommunications, energy, banking and finance, transportation, water systems and emergency services, both governmental and private.”
What are 3 D's of security in security in computing? ›That is where the three D's of security come in: deter, detect, and delay. The three D's are a way for an organization to reduce the probability of an incident.
What are the 5 pillars of NIST? ›5 Domains of the NIST Security Framework. The five domains in the NIST framework are the pillars support the creation of a holistic and successful cybersecurity plan. They include identify, protect, detect, respond, and recover.
What is the single largest threat to information security? ›1) Phishing Attacks
The biggest, most damaging and most widespread threat facing small businesses is phishing attacks. Phishing accounts for 90% of all breaches that organizations face, they've grown 65% over the last year, and they account for over $12 billion in business losses.
Dr Ginsburg, child paediatrician and human development expert, proposes that there are 7 integral and interrelated components that make up being resilient – competence, confidence, connection, character, contribution, coping and control.
What are the five 5 skills of resilient person? ›- Self awareness. ...
- Mindfulness. ...
- Self care. ...
- Positive relationships. ...
- Purpose.
- Viewing setbacks as impermanent.
- Reframing setbacks as opportunities for growth.
- Recognizing cognitive distortions as false beliefs.
- Managing strong emotions and impulses.
- Focusing on events you can control.
- Not seeing yourself as a victim.
- Committing to all aspects of your life.
Infrastructure security is the practice of protecting critical systems and assets against physical and cyber threats. From an IT standpoint, this typically includes hardware and software assets such as end-user devices, data center resources, networking systems, and cloud resources.
Why is infrastructure security important? ›Infrastructure security, which includes critical infrastructure security, is critical both for preventing damage to technology assets and data due to attack or disaster. It's also necessary for minimizing the amount of damage in the event of a successful attack or if a disaster occurs.
What are the 4s of resilience plan? ›My co-presenter and I discussed our formula of what we call the four "R's": recognize, respond, reframe, and role model.
What are the 7 steps to cyber resilience? ›
- Invest in SOAR to improve detection and response times. ...
- Adopt zero trust to control access to sensitive data. ...
- Stress-test your incident response plan to boost resilience. ...
- Use tools to protect and monitor endpoints, remote employees.
Resilience is made up of five pillars: Self Awareness, Mindfulness, Self Care, Positive Relationships and Purpose.
What are the 3 P's of resilience? ›Seligman's 3Ps Model of Resilience
These three Ps – personalization, pervasiveness, and permanence – refer to three emotional reactions that we tend to have to adversity.
- Emotional regulation. Emotional regulation is the ability to identify what you are feeling and the ability to control your feelings when necessary. ...
- Impulse control. ...
- Realistic optimism. ...
- Causal analysis. ...
- Empathy. ...
- Self-efficacy. ...
- Reaching out.
The five C's of cyber security are five areas that are of significant importance to all organizations. They are change, compliance, cost, continuity, and coverage. The top priority of organizations all over is having security protective of their digital and physical assets.
What are the four 4 cybersecurity protocols? ›- Access Control.
- Authentication.
- Information Protection.
- Automated Monitoring.
- Shift into neutral. When you feel stressed, take a moment to check your “self-talk,” Singer advises. ...
- Create your mantra. ...
- Understand what's happening. ...
- Spread out stressors. ...
- Put you first. ...
- Make life mindful. ...
- Take care physically. ...
- Reach for support.
- Satisfaction with Lifestyle. People who lead a satisfying & fulfiling life tend to cope better with stress & adversity. ...
- Supportive Relationships. ...
- Physical Wellbeing. ...
- Solution-Focused Coping. ...
- Emotion-Focused Coping. ...
- Positive Beliefs.
Critical infrastructure includes the vast network of highways, connecting bridges and tunnels, railways, utilities and buildings necessary to maintain normalcy in daily life. Transportation, commerce, clean water and electricity all rely on these vital systems.