Critical Infrastructure, IoT, and Security

critical infrastructure and IoT

Thanks to the rapid growth and evolution of the Internet of Things (IoT), future cities and smart cities are converging. IoT is already playing a major role in transforming cities beginning with critical infrastructure like energy, transportation, and communication systems. In celebration of National Cyber Security Awareness Month and this week’s theme of “Protecting Critical Infrastructure From Cyber Threats,” it’s important to understand how protecting and building resilience in critical infrastructure is not only crucial to national security, but to society as a whole. This blog post will highlight how cybersecurity is intertwined with the maintenance of critical infrastructure as we grow more dependent on the Internet to operate our roads, electrical systems, and financial institutions.

How Vulnerable is Our Infrastructure?

IoT is already connecting millions of devices in industry, government, and military. The rapid growth of these IoT devices is not something that can be controlled, yet it is certain new threats will be introduced through them. We can only make sure we are implementing the best standards and practices to create a unified fight against imminent cyber security challenges within the IoT context. Some of biggest challenges in securing critical infrastructure come down to 1) the operation of critical infrastructure with outdated, poorly secured computers and 2) governments having little control or authority to control the infrastructure since the private sector claims the grand majority of infrastructure.  

We don’t have to look far back to see how outdated computer systems can affect critical infrastructure or important industries like healthcare. WannaCry, for example, affected over 100 countries and severely impacted the healthcare industry, taking a heavy toll on European hospitals in particular. The ransomware targeted a vulnerability in older Windows systems, which were still in use with many hospital data systems. Many have also criticized the US federal government for continuing to run largely on the old Windows XP, which hackers often exploit for unmonitored vulnerabilities.

Which Infrastructure Should Be Protected?

When we say “critical infrastructure,” what exactly do we mean? Critical infrastructure covers a variety of fields from financial institutions, law enforcement, healthcare, agriculture, water distribution, electricity, communication…and the list goes on. We rely on critical infrastructure to work without fail; we count on our water supply systems to run normally, we count on medical devices to not fail, and we count on our smart cars to not be hacked into. It’s hard to say which should be prioritized more as every industry is critical to our day-to-day lives.

Instead, efforts should be geared towards getting the government to help guide the private sector in prioritizing cybersecurity. After all, in the private sector, security is not always a top priority. When it comes to IoT devices, the government can have more say by ensuring that IoT devices sold within US borders are checked for vulnerabilities, providing admin controls for manufacturers (important for when wanting to change default passwords), and mandating routine security patches. It’s easy to point fingers when a cyber attack occurs that compromises critical infrastructure, but with protocols in place, the relevant parties can be properly held accountable.

Who Should Assume Responsibility?

While it makes sense for the government and private sector to collaborate on preventing IoT devices from being released onto the market without first being properly secured, strict regulation is easier said than done. Instead of waiting on the government to release a set of security guidelines or dedicate further legislation related to IoT like the “Internet of Things Cybersecurity Improvement Act,” organizations can develop their own IoT policies to govern the use of IoT devices. They may assign monitoring roles and describe to end users how the improper usage of IoT devices can lead to harmful repercussions, thereby holding them accountable as well.

National Cyber Security Awareness Month places great emphasis on cybersecurity being “our shared responsibility.” Encouraging businesses and organizations to adhere to the best cybersecurity practices will ensure that our homes are well-powered, transportation get us to where we need to go, and that our communication systems are not failing in connecting us together. The National Cyber Security Alliance has made available the following tools: the US-CERT Tips page for making informed decisions about connecting devices to your networks; and if you’re a manufacturer for devices, a US Small Business Association cyber course.

Follow us Twitter at @pentasecsystems and help us spread the #CyberAware message!