In November of last year, looking to secure the U.S.’s critical infrastructure against cyber threats, the “Shields Ready” campaign was introduced by the U.S. Department of Homeland Security (DHS), the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA). The initiative provides advice to organizations on how to build resilience into their systems, facilities and processes. It accompanies a recent “Shields Up” campaign by the CISA, focused on taking specific action to respond to cyberattacks.
This comes as the broad spectrum of cyber threats evolves in frequency, severity and sophistication. Critical infrastructure organizations are digitally transforming at scale, opening new attack surfaces for criminals to exploit. As systems become more interconnected, new entry points are also opening.
The campaign is a promising development that defines four key steps to achieving optimum security and resilience. For each step, here’s what organizations need to consider in the context of current processes and potential implementations for effective cyber response and recovery.
Identify the Dependencies
The first step to resilience under the “Shields Ready” campaign covers identifying critical systems and assets and scoping their potential dependencies on other infrastructure systems. With the boundary of IT and OT now blurring, attack surfaces have inevitably expanded as isolated systems become more interconnected. This means that attackers who have gained access to an IT network may be ideally positioned to exploit OT systems.
A lack of familiarity with modern OT systems may mean organizations struggle to both recognize and respond to emerging threats such as targeted social engineering and phishing attacks. Decision-makers must therefore take action to establish organization-wide awareness of new and emerging security threats, including social engineering tactics.
Consider the Full Range of Threats and Hazards and the Risks They Pose
Critical infrastructure providers have become acutely aware of threats from outside the organization, including ransomware. According to Bridewell research, ransomware-related incidents occurred as many as 26 times per organization over a 12-month period. However, internal, end-user-driven risks are also causing concern. Over the last three years, three-quarters (77%) of respondents have witnessed an increased cybersecurity risk from insiders, whether unintentional or malicious.
Threats and hazards may also materialize from new sustainability solutions. While the addition of new green technologies is helping to reduce carbon emissions and enhance resource efficiency, connectivity demands and digitalization of field assets are expanding the attack surface. Often, these assets use specialized equipment or software that doesn’t have a well-established supporting framework. Entry points are, therefore, proliferating across critical infrastructure networks, providing more opportunities for cybercriminals to leverage vulnerabilities. Using the right intelligence and expertise, decision-makers must take steps to protect against external and internal threats and prevent new integrations from becoming vectors for attackers.
Develop a Strategic Risk Management Plan
Effective risk management requires a holistic approach that incorporates multiple dimensions and interdependencies. A breach response team should be in place at the human level to deal with any developing events quickly and effectively. This team should comprise key stakeholders, including the Chief Information Security Officer, Data Protection Officer, General Counsel, Head of IT, PR or comms professionals, and any other individuals who can provide input and make informed decisions in the event of a crisis. A watertight process will need to be implemented to ensure that any breaches are reported within the timeframe required by the relevant regulator.
End-to-end visibility is the next puzzle for critical infrastructure organizations as IT/OT convergence continues to blend new technologies, such as sustainable platforms, alongside teams and processes. Threat intelligence should inform this understanding. It enables businesses in the sector to build incident response plans tailored to the threats they will likely deal with based on their current technology stacks. It also allows teams to share intelligence and collaboratively identify and respond to evolving threats, strengthening overall posture. By bringing in services such as managed detection and response (MDR) and extended detection and response (XDR), teams are empowered to detect, mitigate, contain and remediate threats across the entire technology ecosystem.
Realistically and Continuously Test Response and Recovery Plans
A strategic risk management plan should be tested every year to ensure it continues to meet the requirements of an organization. This annual training program should be focused on educating employees about their roles and responsibilities so they know exactly what to do during an incident. Tabletop exercises, focusing on a different scenario each time, should be included to assess a team’s understanding of how to react to specific breaches and leverage the right tools as part of their response. “Lessons learned” elements may be required when breaches have occurred to prevent repeat instances.
A mature approach will involve tailoring training to suit different departments. Take, for example, PR and comms professionals. Announcements to the public following a major incident must be carefully considered and devised to limit reputational damage. They may require templates with pre-agreed wording that enables them to send communications out quickly.
Moving to Bolster Infrastructure
The "Shields Ready" campaign is a pivotal landmark in the continued collective effort to bolster the US's critical infrastructure against growing cyber threats. It emphasizes the four key steps of understanding dependencies, recognizing a broad range of threats, crafting comprehensive risk management and response strategies and rigorously testing these plans. Across these stages, critical infrastructure organizations require a multi-layered cybersecurity strategy that includes technology and human elements.
By adopting this framework and carefully considering the requirements under each stage, organizations can strengthen their defenses, better prepare for future threats and ensure that essential services across the United States remain secure and resilient.