In response to (Protecting infrastructure: it’s impossible to always stay alert | Cybernews), protecting Critical Infrastructures (CI) takes a multistep methodology approach to cover all risk areas of operations and the management of those risks as highlighted in many standards: NIST SP 800-82 Rev 2, ISA/IEC 62443, NIST SP 800-37 Rev 2, ISO/IEC 27005, etc. of the Operator. It is very important for the Operator to understand Cyber-risks in addition to other risks they understand very well in their general Risk Management Program. Not doing so can spell greater disaster as the years advance from 2022 and the Global Cyber War continuing growth, involving more Nation State Sponsored Attacks (APTs).
Cyber risks to operators can cause the majority of risk one can see in a natural or unnatural disaster. Cyber-attacks can cause the loss of confidence in systems through the availability and integrity of operations and processes, possibly leading to safety risks shutting down operations – affecting large segments of the population or state or country, or global service.
Protecting CI should be at the top of the risk pyramid for Operation since Cyber Risks are always occurring every sec of the day and due to the low Cybersecurity Maturity and Capabilities Programs of Operators, the ability to Identify, Detect, Protect, Respond and Recover (please reference NIST Cybersecurity Framework) all mechanisms in Incident Management, are all possibly underdeveloped and or not implemented well and or operated efficiently and effectively.
The following are immediate steps for CI Operator can take in the risk management of Cyber Risks:
- Consult with Field Experts/Government Responsible Entities for advice and guidance in the development of Cybersecurity Programs for Cyber Risk Management.
- Subscribed to creditable Industry-related Cyber Information Exchanges: Government Sites, Forums, Alliances, etc.
- Implement comprehensive Cybersecurity Awareness Training Programs covering all Human elements of the Operator.
- Carry out a comprehensive (if possible) Cybersecurity Risk Assessment on both IT/OT Infrastructures, including understanding the Third-Party and Supply Chain Risks for risk management.
- Perform Business Impact Analysis (BIA) and Criticality Analysis (CA) on both IT/OT Infrastructures.
- Collaborate with the business Risk Management teams to incorporate Cyber & IT/OT Risks into the overall Risk Management Program.
- Design or enhance existing Board-Level Certified Risk-based Information Security Governance Program (ISGP) with an emphasis on Human Development and its involvement in the designing and implementation of security strategies.
- Undertake enhanced Security Testing Services in reporting vulnerabilities of IT/OT infrastructure, including the operator’s Attack Surfaces.
- Operators should understand their Threat Landscape, in addition to the utilisation of up-to-date and maybe real-time Threat Intelligence for the implementation of risk-based Security Controls (designed, managed, operated, and monitored by the ISGP).
- Implement Defence-in-depth methodology techniques in IT/OT Infrastructure designs
- Implement Zero-Trust Methodologies and other industry-related Frameworks in the management and operations of IT/OT Infrastructures.
- Through matured risk management processes and business maturity, create working partner-relationships with Cyber Consulting Businesses or Entities in the maturing of IT Security, Cybersecurity, Information Security, and OT Security. Businesses can be Palo Alto Networks, Nozomi Networks, etc.
- Implement Extensive Security Monitoring and Incident Response capabilities in the IT Domain; taking into consideration XDR or Managed XDR or even Advanced SOC Services in the Identification, Protection, Detection, Response, and Recovery of Cyber Threats from Cyber Attacks causing Cyber Incidents: availability issues, compromises, breaches, damages, and safety related issues.
- Implement Extensive Security Monitoring and Incident Response capabilities in the OT Domain; taking into consideration new technological advancements in securing or even Advanced SOC Services in the Identification, Protection, Detection, Response, and Recovery of Cyber Threats from Cyber Attacks causing Cyber Incidents: availability issues, system integrity, damages, and safety related issues.
- Carry out continuous monitoring and auditing for a successful Risk-based Cybersecurity Program Lifecycle.
The awareness in protecting CI is really one of Organisation Governance and it is of the utmost importance that Boards, C-Level, and Business Owners understand Cyber Risks and involve it at the round table in a more serious manner at the discussion level, as this risk becomes the leading risk to businesses.
*Additional reading: ISO 37000:2018 Risk Management Guidelines | NIST Risk Management Framework (RMF) | Electricity subsector cybersecurity Risk Management Process (RMP) guideline | Dragos Inc – INDUSTRIAL CYBER RISK MANAGEMENT: A GUIDELINE FOR OPERATIONAL TECHNOLOGY | Nozomi Networks: Building a Cyber Fortress: Preparedness and Resilience in Critical Infrastructure | Palo Alto Networks: Modernizing Critical Infrastructure Requires Security Transformation; Securing Critical Infrastructure with These Essential Steps