STATETECH: What resource shortages does critical infrastructure face, and how can they be addressed?
BRYANT: CI consists of a mix of state, municipal and privately owned and managed facilities. Each comes with its own resourcing and sector-specific challenges. They operate in varying, disparate environments, including regulatory, which can introduce issues and challenges for access to those resources. I've worked with some out here in Region 7 that are just very small organizations in a rural area, and they don't have access to all the skill sets they need.
It really needs to be a team effort to address this. It must start at the highest level and work its way down to the local levels, where cybersecurity is prioritized and resourced and where so often cybersecurity is just one of those overheads that organizations can't afford. There must be some sort of prioritization and resourcing there.
STATETECH: Critical infrastructure supply chains have been a source of risk in recent years. How do you rank that level of risk, and how can it be mitigated?
BRYANT: I would rank it as one of the top targets for threat actors, because it's those supply chains and those vendors that basically have the intel for the network. With that information, bad actors can figure out what type of equipment the CI has, and maybe even what the configurations are. Plus, they're often interconnected so that vendors can help manage and support those devices, and that’s another vector that the threat actor can use to just kind of walk in through the back door.
At the same time, it does fall upon the CI to manage that supply chain. At CISA, we have our Secure by Design and Secure by Demand initiatives that can support those organizations.
Click the image below for more coverage related to critical infrastructure.