The focus for OT in infrastructure is usually safe and reliable performance. Security typically comes third or even fourth behind cost. But by failing to prioritize security, owners and operators leave their own infrastructure vulnerable and, beyond that, endanger others. That’s because the interconnected nature of infrastructure leaves us susceptible to cascading failures that can spread across critical infrastructure sectors and regions.
There are simple steps to improve cybersecurity that don’t have to be part of a major upgrade or a new project. Start with the basics, like adopting a set of essential, easily implemented cyber hygiene measures. This establishes basic technical cybersecurity practices, such as access control and network segmentation, and helps personnel develop a security-first mindset.
At the same time, infrastructure planners and cybersecurity teams should address some technology challenges behind the scenes.
Government Agencies Must Stop Working in Silos
It’s all too easy to create and execute single infrastructure projects without regard for the bigger picture. As money flows in from federal funding allocated to specific purposes, such as broadband connectivity or water treatment, SLTT governments are likely to dole out the money to discrete departments or sector partners who will focus on building each project in isolation. That’s because it’s a proven way to develop infrastructure and public services.
However, taking a siloed approach to planning limits the potential benefits of upgrading multiple infrastructures simultaneously. It also perpetuates a culture of myopia that will continue to value a narrow view over a broad one, and that could leave systems unable to work together. Infrastructure must be able to communicate with other infrastructure elements.
Interstate highways transformed America in ways that were unimaginable when the legislation that created the system was signed in 1956. Likewise, the IIJA offers the opportunity to lay down the sinews for smart and pervasively connected infrastructure where the whole will be greater than the sum of the parts.
It may seem counterintuitive to call for connected infrastructure as a way to prevent cyberattacks, but it helps everyone when those systems can talk to each other. Cyberthreats already jump from one critical infrastructure sector or government network to another, and this trend is likely to accelerate. Infrastructures should, at a minimum, be able to share threat data. Without that, government and critical infrastructure operators cannot see both existing and future threats.
Sharing Strengthens All Stakeholders Across Governments
Sharing information and coordinating before, during and after an attack are critical to bolstering SLTT government and critical infrastructure security across the country. No single entity can collect, process and analyze all the relevant data by itself, but public and private sector organizations can partner to generate actionable insight into detecting and countering threats. Malicious cyber actors already collaborate, so why shouldn’t cyber defenders?
Failing to build the sharing of cyberthreat data and interoperable security capabilities into infrastructure upgrades makes the challenges of providing effective cybersecurity more difficult by forcing each organization to fend for itself.
Both Congress and President Joe Biden have underscored this need for collaboration. The recently enacted State and Local Government Cybersecurity Act of 2021 expands threat intelligence sharing between federal, state and local partners along with the private sector.
With the slew of new IIJA-related projects SLTT governments will initiate over the next few years, now is the time to focus on implementing proven best practices to improve both the synergy and security of this updated infrastructure. SLTT governments need help building up knowledge, capabilities and confidence regarding how to proceed in the event of a cyberattack. Partnering with other organizations that also face attacks is a sound way to do that.
Governments and critical infrastructure operators have a lot of hard choices to make regarding how to spend IIJA funding; introducing security into the process from the beginning should not be one of them. It isn’t easy and it will take the help of many, but taking that first step and getting into a security-focused mindset when developing infrastructure projects will go a long way toward strengthening all our digital defenses.