Critical infrastructure protection is at a crossroads with numerous pressures coming at asset owners and operators from multiple directions ranging from threats to regulatory compliance.
Over here are state-affiliated attackers actively targeting operational technology (OT), cyber-physical systems, and IT networks not only within the 16 critical infrastructure sectors but also military targets. Over there is a turbulent new U.S. administration that has sowed confusion over the future of existing regs and the availability of cybersecurity resources from the government.
In this episode of the Nexus Podcast, Danielle Jablanski, an Industrial Control Systems Strategist & subject matter expert at the Cybersecurity & Infrastructure Security Agency (CISA) joins to bring her perspective on the current state of critical infrastructure protection and where entities large and small are challenged.
“Asset owners are still struggling, things that will not surprise you. It's not an AI implementation in OT. It's not post-quantum encryption. It's asset inventory, cloud adoption, and third-party risk,” Jablanski said. “And those are things that everyone can really comprehend. You don't have to be able to understand variables and set points in an industrial control system to talk about those three categories."
“So I think there are ways to discuss the main issues that get back to the predominant tasks of securing networks and reducing the severity of overall impacts to your environment that everyone can get on board with. And I think that's what's kind of missing,” she added.
Jablanski explains that a solid baseline of robust network security can go a long way toward blunting the activity and impact of threat actors.
“I think it's alarming that network security is consistently overlooked in favor of shiny objects and everything AI,” Jablanski said. “Network security is really the baseline, whether it's Volt Typhoon activity or Salt Typhoon activity. [CISA] put out mitigations that can hopefully have the most efficacy across the most environments. … Yes, the basics are boring, but if you've ever met me before, I have always said security should be boring. I should make t-shirts, I should make stickers.”
Jablanski also discusses the complexity in protecting privately owned critical infrastructure in the U.S., especially the challenges it presents in providing guidance and any kind of oversight.
“It's incredibly challenging,” she said. “People sometimes think that the government is going to be there to rush in, in any given situation. And of course, we would love to do that. But we can't be everywhere all the time.”
A 2011 FEMA paper said that 85% of CI is owned by the private sector, a percentage that has been often quoted as gospel. A 2022 George Washington University report brought more perspective to the question of private ownership:
“While each state has a different percentage and ownership split, the general trend across the United States is that a few large utilities service most of the population. For example, in Florida, 77% of utilities are owned by the private sector while 23% are owned by the public (including federal and local). That said, the 23% that are owned by the private sector service 92% of the population.”
“Private ownership is obviously predominant. The difference, though, is in the customers they serve? Even though there are potentially fewer private [utilities] in the water industry, they serve more customers. The energy space is different,” Jablanski said. “You have to really drill into each and every sector to understand the nuances. However, our services are still offered for free to these owners and operators, regardless of the ownership model. And so that sometimes really impacts who owns the risk, but not always at these organizations.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
