The term “critical infrastructure” is commonly thought to refer exclusively to the energy sector—companies that produce and transport oil, gas, coal, and other consumable fuels. But in today’s increasingly interdependent world, critical infrastructure spans a vast network of systems and services that are essential to maintain normalcy in daily life.
In fact, the Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience outlines 16 key industries that fall under the umbrella of critical infrastructure. These sectors are considered so vital that their incapacitation or destruction would have a debilitating effect on security, national economic security, and national public health or safety.
The 16 sectors identified in the Presidential Directive include:
- Chemical Sector
- Commercial Facilities Sector
- Communications Sector
- Critical Manufacturing Sector
- Dams Sector
- Defense Industrial Base Sector
- Emergency Services Sector
- Energy Sector
- Financial Services Sector
- Food and Agriculture Sector
- Government Facilities Sector
- Healthcare and Public Health Sector
- Information Technology Sector
- Nuclear Reactors, Materials, and Waste Sector
- Transportation Systems Sector
- Water and Wastewater Systems Sector
Sector-Specific Security Controls
Understanding what sector your company falls into is key to understanding what regulatory or compliance requirements are needed to comply with the directive. This guidance also helps streamline the process of applying cybersecurity controls within your industrial environment and improving overall security—both within your organization and across the nation.
Depending on your sector, you will need to adhere to either:
- Industry recognized standards: These information security controls typically apply to the energy industry or Department of Transportation (DOT) Information Systems Security Program. For example, ISO27019 provides guidance for process control systems used within the energy sector.
- Formal regulatory standards: These include requirements such as the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) or regulations from the Food & Drug Administration (FDA).
Critical Infrastructure Attacks on the Rise
Every day, more critical infrastructure attacks occur and more ICS-specific forms of malware are being developed and deployed. In fact, two new forms of malware—PIPEDREAM and INDUSTROYER2—are actively exploiting systems.
PIPEDREAM, developed by CHERNOVITE Activity Group (AG), is a modular ICS attack framework that an adversary could use to cause disruption, degradation, and possibly even destruction depending on targets and the environment.
INDUSTROYER2 contains more targeted functionality than the original INDUSTROYER, a framework that used external modules to implement four different OT protocols. The latest version is self-contained and only implements the IEC 60870-5-104 (IEC-104) communications protocol to enable system monitoring and control over TCP.
Where to Start
Any loss of production due to a cyber attack will affect your company’s bottom line—and reputation. The best way to protect your organization is to create a well-planned mitigation strategy guided by ICS-specific regulations.
To start, you must first know what risks and vulnerabilities exist within your environment. Identifying all areas of risk within your organization—from the top of the management structure all the way to the end of the manufacturing line—allows you to identify key weaknesses, prioritize mitigation strategies, and address outstanding risks with a formal treatment plan.
Connect with our team to learn how we can help you identify risks and ensure compliance with ICS-specific regulations.
Take the first step in transforming your cybersecurity program
Enterprise security teams are adapting to meet evolving business needs. With six global Security Operations Centers, emerging technology partners and a dedicated team of security specialists, Cyderes is well-positioned to be your organization’s trusted advisor in cybersecurity. We’ll help you understand your risk exposure, increase your visibility and ROI, and proactively hunt for the latest threats.