Keeping Our Nation in Check: The Need for Centralized Security Regulations on Critical Infrastructure

Introduction

Consider each essential product or service you consume daily. From running water to internet and telecommunications to sewage lines to the utilities powering your home and everything in between. None of these are made available without the critical infrastructure sectors that power our entire economy. 

With such significance comes risk. Cyber threat actors are fully aware of their impact when targeting a critical infrastructure site — a trend that's only increasing. 2022, for example, saw a 140% surge in attacks targeting industrial operations. At that rate, as many as 15,000 industrial sites will shut down due to cyber attacks by 2027. The result: 

• Essential services and resources can't get to those in need
• Unpredictable supply chains
• Jeopardized national security  
• Real lives at risk  

There's both the frequency and severity of cyber attacks to consider when critical infrastructure is involved. So why aren't there more centralized security regulations in these sectors? 

What's Currently in Place? 

Let's evaluate what's currently on the table regarding cybersecurity federal regulations or industry guidelines. Federally enforced, we have the Health Insurance Portability and Accountability Act (HIPAA) for securing medical information and Cybersecurity Maturity Model Certification (CMMC), which verifies that defense contractors meet the Department of Defense (DoD) security standards. 

Next on the list is the Payment Card Industry Security Council's Data Security Standard (PCI DSS). These security guidelines are for anyone processing credit card data. In this case, however, it isn't federal but an industry standard that many states adopt. Still, nothing for critical infrastructure thus far.  

Okay, how about the telecommunication industry? That's considered a critical infrastructure sector. The Federal Communications Commission (FCC) does have the Communications Assistance for Law Enforcement Act (CALEA). Unfortunately, these requirements are limited to forcing telecom businesses to facilitate lawful interception of communications — nothing related to cybersecurity management.   

If you look closely, there's no central framework for critical infrastructure besides state or local requirements. The best thing we currently have is North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) guidelines, but that's primarily for securing our electric grid from cyber threats. What about manufacturers, energy producers, transportation businesses, and all the other key industrial players?     

Why Regulate Critical Infrastructure Security?

Central security regulations are a must-have with today's rising cyber threat landscape. As a leader in providing operational technology (OT) visibility solutions, Garland Technology is here to advocate for such guidelines either on a federal or industry standard level. Here's why:   

Provides a Baseline for Constructing a Robust IT and OT Security Program

If nothing else, security regulations can at least give you a foundation to build on. As security experts, we must preface this statement by addressing a common misconception that spans across industries: Compliance doesn't necessarily mean secure. 

Nevertheless, many IT directors, particularly those in OT-dependent businesses, often need help figuring out how to start. Regulatory guidelines can help you start planning your security program, identify common vulnerabilities, and learn about potential safeguards while letting you better understand your unique risks. 

Creates a Framework for Security Innovation 

Many cybersecurity innovations stem from solving a specific challenge. For example, Zero Trust architecture emerged when organizations needed to protect perimeterless networks caused by the increased use of cloud computing and remote work environments.  

The idea of improving security technology or strategies in critical infrastructure sectors is no different. By adding regulations that provide a baseline set of controls, organizations can find new ways to improve those safeguards — letting them develop techniques specific to protecting OT environments and mitigating unique security vulnerabilities found in industry systems. 

Standardizes Security Management Across the Supply Chain

Supply chain attacks are brutal because you don't need to be the primary target to become a victim. Threat actors understand that businesses work with one another to get products manufactured and distributed to their customers — often requiring them to exchange data and collaborate through shared IT systems. 

With centralized regulations, everyone can work out of the same playbook to communicate using the same terminology and framework and build trust by holding everyone in the supply chain to a high standard. Imagine if manufacturers could quickly vet their warehousing companies to ensure they had a robust security program. With one regulatory framework, they can.   

Builds Stakeholder Trust 

With cybersecurity, there's more than just the businesses housing the data and industrial control systems (ICS) to consider. Consumers, supply chain partners, and the general public all have a vested interest in reliable, secure critical infrastructure, and security regulations send a huge message in this regard.

First, organizations in this space are taking public protection seriously by adopting high-security standards that ultimately keep the products and services moving. Additionally, the governing body, whether it be the federal government or an industry authority, wants to enable transparency and hold companies responsible should anything go wrong. 

Improve OT Visibility and Security with Garland Technology 

Securing our nation's critical infrastructure starts with every industrial organization adopting dependable solutions that provide complete OT clarity. We are here to help you take your first step toward enhanced network flexibility, visibility, and security. Join us for a brief network design consultation or demo. There's no obligation - it’s what we love to do!

Glossary

1. CALEA Compliance: The Communications Assistance for Law Enforcement Act (CALEA) is a United States federal law that mandates telecommunication service providers and equipment manufacturers to provide technical capabilities for lawful electronic surveillance and interception when required by authorized law enforcement agencies.
2. NERC CIP: The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards are a set of mandatory cyber security regulations and guidelines designed to protect North American’s Bulk Electric System (BES) from cyber threats.
3. Perimeterless Network: Often used interchangeably with Zero Trust. A Zero Trust cybersecurity strategy is one that organizations deploy to proactively control all interactions between people, data, and information systems to reduce security risks to acceptable levels.