We Must Develop Guidance and Best Practices for Securing Critical Infrastructure

The potential for a damaging cyberattack on critical infrastructure is more probable than ever.

Many organizations, including federal, state and local government agencies, are not proactively implementing secure systems that are rooted in strong cyber hygiene and unified visibility. To ensure preparedness, government regulators and industry need to work together to develop a framework of guidance, best practices and standards for monitoring critical infrastructure vulnerabilities, closing the Cyber Exposure gap and responding to threats before they have real-world consequences.

Bad actors are already targeting U.S. critical infrastructure and looking to disrupt our utilities, financial markets and water supplies. Last year, the United States and the United Kingdom issued a rare joint statement about malicious cyberactivity carried out by the Russian government. Targets included critical infrastructure providers and internet service providers, and exploits were directed at routers, switches, firewalls and network intrusion detection systems.

With the convergence of information technology and operational technology, the modern attack surface is rapidly expanding, exposing the systems that support every aspect of our daily lives to new vulnerabilities and threats. Public and private critical infrastructure sectors need unified visibility across their converged environments to ensure they can identify, manage and reduce risk. When built upon a continuous network monitoring platform, organizations can consistently visualize the security posture of their modern attack surface, from IT to OT, and better protect themselves against cyberattacks.

There are three things that government regulators can prioritize with industry to ensure the security of our nation’s critical infrastructure:

— Prioritize the need for unified visibility into the security posture of critical infrastructure systems: Government organizations and industry often struggle to ensure unified visibility of their complete networks, which span IT and OT. When organizations lack full visibility into their security posture, malicious actors can bring operations to a screeching halt and compromise security. Companies should be responsible for understanding where their weakest vulnerabilities lie. Assets should be monitored so that potential weak points and blind spots can be easily identified and remediated.

Close the Cyber Exposure gap: Rapid digital transformation is changing the way the government fulfills its mission, and continuous asset monitoring and vulnerability detection are a necessity for closing the Cyber Exposure gap. Companies must maintain a single, converged view of their IT and OT environments to ensure they have visibility into where they are exposed and to what extent.

Focus on the fundamentals: Basic cyber hygiene, such as strong passwords for control systems, secure networks and employee training, must be established before focusing on more advanced measures. While these measures are an important aspect of an overall cyberdefense strategy, they will not be effective without proper cyber hygiene. Government regulators must focus on these basics to build a foundation for strong cybersecurity.

It is clear that government and industry collectively need to develop a framework of guidance, best practices and standards to address existing Cyber Exposure gaps for all organizations. Congressional efforts to better understand and address these issues and the administration’s National Cyber Strategy are steps forward in reducing risk, which is imperative as we face more sophisticated adversaries. Public-private partnerships are essential to the improvement of our nation’s cybersecurity stature.

The threats targeting critical infrastructure are no longer theoretical, and they cannot be overlooked. Organizations tasked with securing our nation’s critical infrastructure must have unified visibility into where they are exposed and to what extent, and they must implement foundational cyber hygiene practices to improve their overall security posture.

These are the first, but very critical, steps to securing the services and resources we all rely on.


Eitan Goldstein is senior director of strategic initiatives for Tenable.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.

Morning Consult