Cybersecurity has become a hot topic in Washington. Since taking office, President Joe Biden has announced a series of efforts to strengthen the nation’s critical infrastructure systems (CIS) and address cybersecurity threats that are growing in scope and sophistication.
Headlines about companies – including the U.S. largest pipeline – paying ransoms to regain access to their systems have become increasingly common.
“Cyberattacks against critical infrastructure and operational environments are at an all-time high. Everyone is just waiting for the next big one to hit.”
Matt Hubbard, Senior Technical Product Marketing Manager at Armis
The Cybersecurity & Infrastructure Security Agency (CISA) lists 16 critical infrastructure sectors, including government facilities, financial services, transportation, communications, and healthcare.
Highways, bridges, railways, water systems, electric grids, hospitals, agriculture, and manufacturing are all considered critical infrastructures because they are essential to ensure the effective functioning of the economy and prosperity of the nation.
Nation-state cyberattacks against critical infrastructure have become widespread across the globe. For example, the Microsoft Exchange and SolarWinds hacks have been attributed to groups in China and Russia, respectively. These two massive attacks compromised corporations and government agencies.
According to an academic study sponsored by HP, nation-state attacks have doubled between 2017 and 2020. This research indicates that enterprises are the most common target, but government entities and critical infrastructure are vulnerable too.
Threats against CIS can have devastating consequences, from financial losses and product shortages to public health concerns. For example, earlier this year, a hacker tried to poison the water supply in Oldsmar, Florida.
Growing concerns about cyberattacks are driving a series of initiatives by the federal government. The Biden Administration has often reiterated the role of cybersecurity as a national and economic security imperative.
The White House considers cybersecurity one of the top 10 programs in the Bipartisan Infrastructure Investments and Jobs Act. This trillion-dollar legislation includes $550 billion in new federal investment in infrastructure to boost the U.S. economy and create jobs. It’s part of the funding package:
In addition, $2 billion will be directed to cybersecurity initiatives aiming to:
Protecting the government’s digital assets is an important step, but not enough to minimize national security threats. It’s the private sector that owns and operates much of the United States’ critical infrastructure. That’s why President Biden issued a National Security Memorandum to establish the Industrial Control Systems Cybersecurity Initiative.
The new policy directs federal agencies to develop cybersecurity performance goals to assist organizations that provide essential services. An example has been the Department of Energy (DOE)’s 100-day plan to improve the cybersecurity of the nation’s electric grid. More recently, the Department of Homeland Security’s Transportation Security Administration announced that critical pipeline owners and operators would have to:
The White House has also announced partnerships with the private sector to drive cybersecurity awareness and improvements.
For example, Code.org will teach cybersecurity concepts to more than 3 million students over three years. Companies including Google, Microsoft, Apple, Amazon and IBM have all made commitments to this initiative.
Following up on the executive order on cybersecurity, the Office of Management and Budget (OMB) and the CISA have released a draft memo seeking public feedback on initiatives to move the federal government toward a Zero Trust architecture.
Zero Trust is a security model initially introduced by Forrester. The principle is that users and devices cannot be trusted by default and have to be continuously verified and monitored to maintain their network access.
As part of the Federal Zero Trust Strategy, agencies will be required to achieve certain milestones by the end of the fiscal year 2024. The U.S. government’s strategy supports:
With the White House stepping up its cybersecurity efforts, there is also a call for business leaders to do the same.
A roadmap to increased infrastructure cybersecurity starts with the understanding that traditional security tools cannot protect those environments. ICS and operational technology (OT) devices are unmanaged. Also unmanaged are the Internet of Things (IoT) devices that have proliferated across all industries. Examples include printers, smart TVs, wireless inventory trackers, security cameras, and smartphones.
Unmanaged devices can process and transmit information but lack strong built-in security and cannot accommodate security agents. According to a 2019 Forrester Consulting study commissioned by Armis, 66% of manufacturing firms had encountered a security incident related to unmanaged and IoT devices.
The Armis platform begins discovering, classifying, and rating risk for all devices across your environment in real-time immediately upon installation. With this comprehensive inventory of devices and risks, security professionals can more effectively prioritize their efforts to reduce their attack surface proactively while improving their compliance and business continuity postures.
On an ongoing basis, the Armis platform helps identify and stop attacks across your organizations. The solution can provide detection and response, orchestrating automatic alerts and even security and policy enforcement.
With Armis, organizations can also implement the Zero Trust architecture – one of the best practices advanced by the White House.
Take the first step to reinforce your cybersecurity defenses against cyberattacks. Book a demo with Armis and discover how our agentless platform can help you to secure critical infrastructure and operational environments.
Review IT OT Convergence Playbook Chapters:
Sign up to receive the latest news