Security

Building Cyber Resilience in Critical Infrastructure

Network segmentation and reliable backup systems are crucial for responding to and recovering from cyberattacks against critical infrastructure.

Thomas Sinnott

Thomas Sinnott is a principal consultant for CDW.

The Cybersecurity and Infrastructure Security Agency defines critical infrastructure as “assets, systems, and networks that provide functions necessary for our way of life.” Unfortunately, those assets, systems and networks are regularly targeted by cyberattackers.

And as emphasized in CISA’s definition of critical infrastructure, a disruption isn’t just a matter of dollars and cents. Planes can be grounded, water supplies can be disrupted, and emergency services can go offline, all of which would very much affect our way of life.

So while the threats may be familiar — ransomware, supply-chain attacks — the potential fallout warrants a holistic approach to cyber resilience. This includes the ability to detect, respond to and recover from cyber incidents with minimal disruption to operations.

Click the banner below to learn how utilities and other OT environments boost cyber resilience.

st-p-criticalinfrastructure-utilities-animated-cta-2025-desktop

st-p-criticalinfrastructure-utilities-animated-cta-2025-mobile

Similar Cyberattacks, Very Different Solutions

Many critical infrastructure facilities have decades-old equipment. These operational technology (OT) systems run water pumps, air traffic systems and even 911 call routing. Most of them weren’t designed for today’s threat landscape and can’t be patched or updated with modern security controls. You can’t install endpoint protection on a 20-year-old turbine controller.

With that in mind, creating inventories of systems and application programming interfaces (APIs) is the first step to achieving cyber resilience. Active and passive scanning is key here. Once you have visibility into the environment, it’s easier to identify which devices simply cannot be hardened, and more important, what measures need to be taken as a result.

Consider Petersburg, Va. The city learned its water pumps were connected via an open LTE network, essentially leaving its SCADA system exposed. It solved this problem by replacing its existing infrastructure with Ericsson Cradlepoint IBR900 series devices that create secure virtual connections via Internet Protocol Security tunnels. This secured data transmissions over the open LTE connection.

Click the image below for more stories about critical infrastructure.

Schaumburg, Ill., is another example of using network technology to improve resilience. The city divided its SCADA network into smaller segments serving very specific machines. Not only does this restrict the kinds of activity that can occur on a network, but in the event of a breach, it prevents lateral movement to other systems, which helps shore up cyber resilience.

This method, called microsegmentation, will be increasingly important as IT and OT systems converge, especially with the rise of APIs. Just as organizations once struggled to inventory their hardware and software, many agencies don’t even know all the APIs they use. That makes them an attractive vector for exploitation and further emphasizes the importance of proper asset discovery and network segmentation.

Building Resilience Beyond Segmentation and Firewalls

Stopping and containing attacks is important, but cyber resilience is also about ensuring critical services can bounce back when disruptions happen. This requires backups for OT environments and IT infrastructure alike.

I’ve worked with counties that have built cloud backups to avoid catastrophic data loss for critical data systems. I also know of several jurisdictions that pooled their resources to create a joint security operations center, giving them the collective manpower to monitor and respond to incidents in real time. This level of preparedness across critical IT and OT environments is crucial to keeping the lights on, so to speak.

And speaking of keeping the lights on: Without electricity, even the best cyber resilience plans collapse. That’s why airports and data centers invest heavily in uninterruptible power supplies and generators. Some facilities can run for up to 48 hours without refueling, giving them critical time to recover. Extending this level of redundancy to other parts of local infrastructure — such as utilities or emergency services — can be the difference between resilience and failure.

Defending Critical Infrastructure Is a Shared Responsibility

Local governments don’t have to figure this out alone. Frameworks from CISA and the National Institute of Standards and Technology, such as NIST’s newly updated Cybersecurity Framework (CSF 2.0), provide practical roadmaps for building stronger defenses. CISA also offers a variety of no-cost services to help critical infrastructure providers shore up their cyber resilience.

Slowly but surely, we’re starting to see a shift toward treating cyber resilience as essential infrastructure, on par with power lines and clean water — because increasingly, that infrastructure relies on cyber resilience. Culturally, this will require some change. County or municipal commissions that have traditionally been siloed will need to collaborate more closely and create stronger inventories of systems and APIs.

At a minimum, remember that resilience starts with visibility. You can’t patch what you don’t see, and you can’t protect systems you don’t understand. For state and local governments, that means cataloging assets, isolating vulnerable devices and building redundancy into every layer of operations.

This article is part of StateTech’s CITizen blog series.