Dec 03 2024
Security

How Critical Infrastructure Companies Can Defend Against Growing Cyberthreats

Sophisticated cybercrime networks are plenty for businesses to worry about, but critical infrastructure businesses must defend against hostile nations. Rubrik CISO Mike Mestrovich has ideas.
Lily Lopate bio
by

Lily is a Senior Editor at BizTech Magazine. She follows tech trends, thought leadership and data analytics. 

The government has been issuing new warnings about heightened concern involving the potential for cybersecurity attacks against critical infrastructure facilities. Such facilities — water treatment and power plants and even nuclear facilities, among others — tend to be privately owned and operated even as they provide services vital to day-to-day life. 

To get a deeper understanding of the security issues involved, BizTech Senior Editor Lily Lopate spoke with Mike Mestrovich, vice president and CISO of security company Rubrik and former acting CISO of the U.S. Central Intelligence Agency.

BIZTECH: There’s been heightened concern recently about foreign threat actors targeting critical infrastructure organizations in the U.S. What’s going on?

MESTROVICH: This is an area where we do have to have a heightened sense of awareness. The government is trying to get that out. Critical infrastructure companies are vital to the well-being of the country as a whole, and for that reason they’re also going to be a target of threat actors, most notably foreign intelligence services, as well as criminal elements.

This shouldn’t be a surprise to people. They’re going to be targets because should there be a time of conflict, an adversary would want the opportunity to degrade our ability as a nation to respond to whatever that conflict is, to instill doubt and fear in the population, and to bring the events of any geopolitical crisis close to the citizenry.

Click the banner below to fortify your critical infrastructure networks in today's threat landscape. 

BTQ323_SCADA_CTA_Desktop (1).gif BTQ323_SCADA_CTA_Mobile (1).jpg

 

The federal government has tried to let critical infrastructure companies understand what they’re up against, and how to gauge their cybersecurity responses to ensure maximum security, even with limited resources. No entity is ever going to have unlimited resources from a cyber defense perspective. 

And so it’s really about applying a maximum amount of resources at those critical junctures that will have the most positive effect on ensuring the cybersecurity posture of that organization. The government is trying to put out some baseline standards so that people can evaluate themselves against those standards, and then through that, we can begin to build from the bottom up a common layer of defense amongst all the infrastructure companies.

BIZTECH: What is it about critical infrastructure companies that make them more complicated to defend than other types of organizations?

MESTROVICH: Because critical infrastructure businesses employ two types of technology: the information technology and networks that process data; and operational technology, the underlying mechanical systems that are further operated by information technology components and that have been in many ways automated. There are millions of these types of devices: water-flow sensors that test the purity of the water, automatic switching systems and collision detection systems for trains. The air traffic control system is replete with automated systems as well.

We’ve done a great job in this country of scaling these services out to support millions of constituents. But we’ve done that without adding labor, through automation of systems. These technologies are designed to operate in very harsh environments and with a large degree of autonomy. So, the idea of being able to continuously update those types of devices to protect them from security vulnerabilities — it arguably wasn't part of the equation when many of them were designed and implemented. And now you have to go back and patch those systems up.

 

BIZTECH: How are organizations doing that?

MESTROVICH: There’s a couple of different methodologies. In many instances, the only way to upgrade those types of things is to come back and physically swap those components out. And that could be just the limitations of how they were designed from a chipset perspective, memory, compute power; or the underlying operating systems that are now being utilized have advanced beyond what those old electronic components could actually support. So in some instances, yeah, you do need to remove those devices from the infrastructure and replace them with newer devices.

In other cases, while those devices may be able to support upgrades, it’s a matter of taking the time and having the automation to get out there and update these many thousands of devices. Some things are just not going to take a patch; there’s going to be something that’s going to corrupt the device and you’re going to have to remediate that. So all of those issues apply to Internet of Things devices.

RELATED: How internet of things devices impact the energy and utilities sector. 

BIZTECH: What role does the government play?

MESTROVICH: What you’re seeing, as it relates to critical infrastructure, is the government designating the Cybersecurity and Infrastructure Security Agency to promote specific cybersecurity standards and baselines that they will then propagate out to critical infrastructure companies, and then work with them to bring their systems into compliance. Some of the things that they talked about are relatively straightforward: Being able to understand the inventory of the devices that you have; being able to detect against threats to analyze the data that's coming in. How do you report on security incidences? Those types of things are part of the framework. Also, how do you build resiliency into your system? How do you prepare yourself to recover from a cyberattack? What are the types of things that you need to have in place to have a more resilient cyber infrastructure?

BIZTECH: So where do organizations start?

MESTROVICH: At a very basic level, every IT organization should have an accurate asset inventory. Because any one of those things, should they become infected, is potentially a vector into my environment. The first thing is: “What are the things that I'm responsible for?” You can't know your susceptibility to vulnerabilities unless you know what your asset inventory is and what the configuration of those assets are. You have to be able to bring those things together.

And it doesn't just stop with devices. Clearly, it then expands into users, like, “Who are my users? Where are they coming from? What do they do?” And so having a good understanding of that is very important. And then ultimately, the third piece of this is, “What is my critical data? Where is that critical data? And then who has access to that critical data?” Those are the three components that I think is a little bit new in the space. With respect to the disruption of critical infrastructure, destruction of IoT systems, cybercrime is perpetuated on the theft of data, or their prevention from you using your data. And so it really comes down to, “Where's my critical data? And who has access to it? Because that's really what I want to protect.”

KEEP READING: AI is revolutionizing grid planning for energy and utilities. 

Photography by Robert Houser

More On

Related Articles

Close

See How Your Peers Are Moving Forward in the Cloud

New research from CDW can help you build on your success and take the next step.

Click Here to Read the Report