November marks National Critical Infrastructure Security and Resilience Month and is really a timely reminder to help keep this conversation at the forefront. Global critical infrastructure speaks to a standard theme: sectors which are crucial to security, economic security, public health, or safety. The pandemic has reshaped the landscape of critical infrastructure with a fresh generation of organizations now deemed as ‘critical.’ Most would consider hospital emergency rooms as traditional critical infrastructure, but think about medical research labs? Given that the planet awaits a vaccine to get rid of this pandemic anxiously, it’s clear these providers are actually even more essential than ever to your collective health, modern society, and economic climate. Adversaries know this as well and continue steadily to target the supply chains and assets of the critical systems, benefiting from our heightened technology dependence.

Embedding resilience and trust into critical infrastructure is still a moving target. We used to target within enterprises and businesses purely, today the interconnectivity of cloud and third-party delivered services have completely upended how exactly we assess risk but. Of the challenges – new or old – regardless; the focus should be on the integrity and standing of the technology and processes, ensuring we embed resilience and trust in to the core of critical infrastructure.

Building in Trust at the Network

Technology is longer an extension of critical infrastructure no, but at the core of it rather. The network sits between critical data, assets, and systems, and the services and users that leverage or operate them. It really is uniquely positioned not merely to include essential controls and visibility for resiliency, but a well-placed and high-value target for attackers also. Resiliency of the network infrastructure itself is essential.

Resilience is only attained by building in steps to verify integrity with technical features embedded in hardware and software. Secure boot ensures a network device boots only using software that’s trusted by the initial Equipment Manufacturer. Image signing allows a user to include an electronic fingerprint to a graphic to verify that the program running on the network is not modified. Runtime defenses drive back the injection of malicious code into running network software, rendering it very hard for attackers to exploit known vulnerabilities in hardware and software configurations. Important equally, vendors must work with a Secure Development Lifecycle to improve security, reduce vulnerabilities, and promote consistent security policy across solutions.

All of this may appear like geek mumbo-jumbo, but they are non-negotiables in today’s world. Whether it’s a crucial robot on a manufacturing line, a connected valve at a water treatment plant, or the network infrastructure that keeps all of them running and connected – without verification check points across the real way, you haven’t any basic idea if your underlying technology is authentic, unmodified, or more to your standards ultimately.

Securing the Supply Chain

Suppliers are increasingly being targeted as a route into our critical systems. The premise behind Zero Trust applies here too and dictates that people must verify the security of most who connecting into those critical systems. Which includes the complex web of vendors that produce the technology we ultimately sell or consume. So how exactly does the vendor secure their very own network, and the info of many? Once we dive deeper involved with it, we can note that the security of our suppliers and their very own supply chain increasingly becomes complicated, particularly when intellectual property (IP) is involved, and implemented across an enormous network of global suppliers of hardware, software, and cloud-based services. Geopolitical, cyber, and continuity risks can result in the misuse, tamper, and counterfeit of IP and solutions even.

We should take a layered approach, utilizing a mix of security technology (e.g. technical innovation to improve counterfeit detection or even to identify non-authorized components or users), physical security (e.g. camera monitoring, security checkpoints), logical (e.g. multi-factor authentication for workers), and information security (e.g. network segmentation). These security and privacy foundational requirements should be put on the end-to-end lifecycle of solutions in the supply chain, from design to decommission, across collaborative partnerships. It’s beyond geography-based privacy and security, it should be steeped in the supply chain process and in the technology itself. Everyone includes a stake in the overall game, and all suppliers should be held accountable also to exactly the same high standard.

Operations that Move at an electronic Pace

The increase of remote working, and remote access therefore, has heightened the significance of monitoring regular versus abnormal activity across all both traditional enterprise along with the vastly distributed cloud services. Migration to digital capabilities requires critical infrastructure providers to help keep pace with the most recent threat detection and monitoring technologies. It needs machine speed capabilities of control and visibility. It takes a built-in, holistic architecture of solutions that together work, communicate, and automate actions to create it simpler to address incidents faster and less complex, relying less on human actions. To do this, we should look end-to-end across our systems, avoiding piecemeal solutions and projects, to make sure consistent security capabilities which are scalable, agile, and fast.

Security capabilities are ever-evolving. Machine learning algorithms might help detect anomalies from normal user and network behavior. That data may be used for informing control-based policies to mitigate attacks then. Application, network, and endpoint security must together work, and as we turn to deploying solutions, we have to go through the consistency and integration of these capabilities.

Traditional or new, critical infrastructure comprises of complex networks and systems that sustain our global economy and society, a disruption to 1 could cause a ripple aftereffect of consequences beyond borders. Of a worldwide pandemic regardless, natural disaster, social unrest or when it operates like clockwork even, resilience and trust should be built-in at every step.

To learn more about how exactly Cisco embeds trust into everything we do, visit our Trust Center.