Consider each essential product or service you consume daily. From running water to internet and telecommunications to sewage lines to the utilities powering your home and everything in between. None of these are made available without the critical infrastructure sectors that power our entire economy.
With such significance comes risk. Cyber threat actors are fully aware of their impact when targeting a critical infrastructure site — a trend that's only increasing. 2022, for example, saw a 140% surge in attacks targeting industrial operations. At that rate, as many as 15,000 industrial sites will shut down due to cyber attacks by 2027. The result:
There's both the frequency and severity of cyber attacks to consider when critical infrastructure is involved. So why aren't there more centralized security regulations in these sectors?
Let's evaluate what's currently on the table regarding cybersecurity federal regulations or industry guidelines. Federally enforced, we have the Health Insurance Portability and Accountability Act (HIPAA) for securing medical information and Cybersecurity Maturity Model Certification (CMMC), which verifies that defense contractors meet the Department of Defense (DoD) security standards.
Next on the list is the Payment Card Industry Security Council's Data Security Standard (PCI DSS). These security guidelines are for anyone processing credit card data. In this case, however, it isn't federal but an industry standard that many states adopt. Still, nothing for critical infrastructure thus far.
Okay, how about the telecommunication industry? That's considered a critical infrastructure sector. The Federal Communications Commission (FCC) does have the Communications Assistance for Law Enforcement Act (CALEA). Unfortunately, these requirements are limited to forcing telecom businesses to facilitate lawful interception of communications — nothing related to cybersecurity management.
If you look closely, there's no central framework for critical infrastructure besides state or local requirements. The best thing we currently have is North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) guidelines, but that's primarily for securing our electric grid from cyber threats. What about manufacturers, energy producers, transportation businesses, and all the other key industrial players?
Central security regulations are a must-have with today's rising cyber threat landscape. As a leader in providing operational technology (OT) visibility solutions, Garland Technology is here to advocate for such guidelines either on a federal or industry standard level. Here's why:
If nothing else, security regulations can at least give you a foundation to build on. As security experts, we must preface this statement by addressing a common misconception that spans across industries: Compliance doesn't necessarily mean secure.
Nevertheless, many IT directors, particularly those in OT-dependent businesses, often need help figuring out how to start. Regulatory guidelines can help you start planning your security program, identify common vulnerabilities, and learn about potential safeguards while letting you better understand your unique risks.
Many cybersecurity innovations stem from solving a specific challenge. For example, Zero Trust architecture emerged when organizations needed to protect perimeterless networks caused by the increased use of cloud computing and remote work environments.
The idea of improving security technology or strategies in critical infrastructure sectors is no different. By adding regulations that provide a baseline set of controls, organizations can find new ways to improve those safeguards — letting them develop techniques specific to protecting OT environments and mitigating unique security vulnerabilities found in industry systems.
Supply chain attacks are brutal because you don't need to be the primary target to become a victim. Threat actors understand that businesses work with one another to get products manufactured and distributed to their customers — often requiring them to exchange data and collaborate through shared IT systems.
With centralized regulations, everyone can work out of the same playbook to communicate using the same terminology and framework and build trust by holding everyone in the supply chain to a high standard. Imagine if manufacturers could quickly vet their warehousing companies to ensure they had a robust security program. With one regulatory framework, they can.
With cybersecurity, there's more than just the businesses housing the data and industrial control systems (ICS) to consider. Consumers, supply chain partners, and the general public all have a vested interest in reliable, secure critical infrastructure, and security regulations send a huge message in this regard.
First, organizations in this space are taking public protection seriously by adopting high-security standards that ultimately keep the products and services moving. Additionally, the governing body, whether it be the federal government or an industry authority, wants to enable transparency and hold companies responsible should anything go wrong.
Securing our nation's critical infrastructure starts with every industrial organization adopting dependable solutions that provide complete OT clarity. We are here to help you take your first step toward enhanced network flexibility, visibility, and security. Join us for a brief network design consultation or demo. There's no obligation - it’s what we love to do!
If the inline security tool goes off-line, the TAP will bypass the tool and automatically keep the link flowing. The Bypass TAP does this by sending heartbeat packets to the inline security tool. As long as the inline security tool is on-line, the heartbeat packets will be returned to the TAP, and the link traffic will continue to flow through the inline security tool.
If the heartbeat packets are not returned to the TAP (indicating that the inline security tool has gone off-line), the TAP will automatically 'bypass' the inline security tool and keep the link traffic flowing. The TAP also removes the heartbeat packets before sending the network traffic back onto the critical link.
While the TAP is in bypass mode, it continues to send heartbeat packets out to the inline security tool so that once the tool is back on-line, it will begin returning the heartbeat packets back to the TAP indicating that the tool is ready to go back to work. The TAP will then direct the network traffic back through the inline security tool along with the heartbeat packets placing the tool back inline.
Some of you may have noticed a flaw in the logic behind this solution! You say, “What if the TAP should fail because it is also in-line? Then the link will also fail!” The TAP would now be considered a point of failure. That is a good catch – but in our blog on Bypass vs. Failsafe, I explained that if a TAP were to fail or lose power, it must provide failsafe protection to the link it is attached to. So our network TAP will go into Failsafe mode keeping the link flowing.
Single point of failure: a risk to an IT network if one part of the system brings down a larger part of the entire system.
Heartbeat packet: a soft detection technology that monitors the health of inline appliances. Read the heartbeat packet blog here.
Critical link: the connection between two or more network devices or appliances that if the connection fails then the network is disrupted.