Question

Tell us about five different critical infrastructures.

How are they at risk?

How can you protect the five infrastructures you picked?

Answer 1

Thank you so much for asking the question and  really appreciate it.

To understand the answer of the above question we need to understand the following things:

What is mean by Critical Infrastructure?

Critical infrastructure is the body of systems, networks and assets that are so essential that their continued operation is required to ensure the security of a given nation, its economy, and the public's health and/or safety.

Critical infrastructures are generally understood as facilities and services vital to the basic operations of a society. Sectors that are considered as “critical infrastructure” vary among different countries, but most would comprise: energy, water, food, transport, telecommunications, healthcare, as well as banking and finance. However there is no universally agreed definition in place – each country defines it based on national priorities. Many countries have national strategies for protecting their critical infrastructure from and natural and man-made risks. Increasingly, cyber-security is of concern in protecting any of these infrastructure.

Sectors that are considered as “critical infrastructure” vary among different countries, but most would comprise:

Energy, Water, Food, Transport, Telecommunications, Healthcare, as well as Banking and Finance.

following are the five different critical infrastructure

1.Energy Sector:

The U.S. energy infrastructure fuels the economy of the 21st century. Without a stable energy supply, health and welfare are threatened, and the U.S. economy cannot function. Presidential Policy Directive 21 identifies the Energy Sector as uniquely critical because it provides an “enabling function” across all critical infrastructure sectors. More than 80 percent of the country's energy infrastructure is owned by the private sector, supplying fuels to the transportation industry, electricity to households and businesses, and other sources of energy that are integral to growth and production across the nation.

2. Safe Drinking Water:

Safe drinking water is a prerequisite for protecting public health and all human activity. Properly treated wastewater is vital for preventing disease and protecting the environment. Thus, ensuring the supply of drinking water and wastewater treatment and service is essential to modern life and the Nation’s economy.

3. Food & Agriculture:

The Food and Agriculture Sector is almost entirely under private ownership and is composed of an estimated 2.1 million farms, 935,000 restaurants, and more than 200,000 registered food manufacturing, processing, and storage facilities. This sector accounts for roughly one-fifth of the nation's economic activity

4. Transportation Sector:

The Department of Homeland Security and the Department of Transportation are designated as the Co-Sector-Specific Agencies for the Transportation Systems Sector. The nation's transportation system quickly, safely, and securely moves people and goods through the country and overseas.

5. Healthcare:

The Healthcare and Public Health Sector protects all sectors of the economy from hazards such as terrorism, infectious disease outbreaks, and natural disasters. Because the vast majority of the sector's assets are privately owned and operated, collaboration and information sharing between the public and private sectors is essential to increasing resilience of the nation's Healthcare and Public Health critical infrastructure. Operating in all U.S. states, territories, and tribal areas, the sector plays a significant role in response and recovery across all other sectors in the event of a natural or man made disaster. While healthcare tends to be delivered and managed locally, the public health component of the sector, focused primarily on population health, is managed across all levels of government: national, state, regional, local, tribal, and territorial.

Now we will understand how the critical infrastructure is in the risk and what are the primary threats facing critical infrastructure?

A generation or two ago, those threats were pretty much all tangible, physical threats that could be countered with tangible, physical defenses. Think old war movies — blowing up or defending bridges and railroad tracks, etc. Those kinds of tangible, physical threats continue today, as do natural disasters, such as hurricanes, floods and wildfires, and they can cause serious harm to people and nations.

The inclusion of “virtual” infrastructure in the DHS definition is a relatively new phenomenon, and the primary threats to that infrastructure are even more difficult to counter. Sometimes the virtual infrastructure combines with the physical — attackers may attempt to use virtual control systems to deliver physical threats or make virtual threats to physical infrastructure — creating the need for a multi-faceted response. This combination of virtual and physical is growing exponentially today, as virtual connections to physical infrastructure, aka the internet of things, become increasingly mainstream.

How do we protect critical infrastructure?

With that definition and understanding of what critical infrastructure is, and what types of threats endanger it, let’s examine how we should protect it.

The Cyber security and Infrastructure Security Agency , created by Congress in November 2018, is the DHS agency charged with primary critical infrastructure protection responsibility.

CISA, according to its website, “leads the coordinated national effort to manage risks to the nation's critical infrastructure and enhance the security and resilience of America's physical and cyber infrastructure.” Breaking down this summary statement, CISA identifies three key elements of critical infrastructure protection:

• managing risk to that infrastructure;
• enhancing security of that infrastructure; and
• enhancing resilience of that infrastructure.

Managing risk to critical infrastructure

The National Risk Management Center (NRMC), an entity within CISA that also came into existence in 2018, leads the charge when it comes to the agency’s risk management guidance. NRMC identifies itself as “a planning, analysis, and collaboration center working to identify and address the most significant risks to our nation’s critical infrastructure.”

We point to the words “most significant” as the central theme of risk management. No defense plan will provide absolute protection against all risks; the cornerstone of effective risk management is prioritization — identifying the most significant risks and taking actions to mitigate those risks.

Risk-based prioritization is one of the primary components of effective cyber risk management. It is also a key component of the discipline of Cyber Exposure. Cyber Exposure recognizes that the modern attack surface reflects the increasing convergence of the virtual and the physical, and that as connectivity increases, so does the risk of cyber attack. Managing that risk is essential to the protection of critical infrastructure today, and will become even more essential in the future.

Enhancing security for critical infrastructure

Enhancing security is, perhaps, the most fundamental component of critical infrastructure protection.

In the physical world, doing so involves basic actions such as locking doors, putting up fences and similar steps to address physical vulnerabilities. Similarly, in the cyber realm, security means identifying virtual vulnerabilities and addressing those vulnerabilities.

Practicing good cyber hygiene is Step 1 in enhancing cybersecurity. Lapses in basic cyber hygiene are the primary cause of security breaches. Bad actors are able to get through cyber “doors” when device owners do the following: use poor locks (think weak passwords); leave doors open (think unpatched vulnerabilities); or unwittingly give them the keys (think phishing scam).

Protecting critical infrastructure presents some unique challenges. For instance, Industrial Control Systems (ICS), which govern the operation of large industrial plants, cannot be actively scanned for vulnerabilities the way a virtual-only Information Technology (IT) environment can be scanned because such scans can knock the industrial systems offline, grinding operation of a major plant to a halt.

The overarching category for these types of systems is Operational Technology (OT). OT systems, many of which pre-date the internet, have historically been standalone, “air gapped” systems, which minimized their vulnerability to cyber threats. In today’s connected world, however, that is quickly becoming the exception rather than the rule.

Adapting cyber defenses to protect these systems requires a different approach. Tenable is addressing these challenges by leveraging its passive monitoring capabilities to deliver a solution that enables safe monitoring of OT assets in a converged IT-OT environment.   

Enhancing resilience of critical infrastructure

To be resilient, in the parlance of the iconic Timex watch ads, is “to take a licking and keep on ticking.”

As more formally defined in Presidential Policy Directive 21, the governing federal critical infrastructure protection authority, resilience is “the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions.” In cyber-centric environments, resilience builds on security to round out a comprehensive cyber defense program that addresses all phases of preparation and implements steps to prepare for, and respond to, any cyber threats.

To guide organizations in developing and implementing effective, comprehensive critical infrastructure protection programs, the National Institute of Standards and Technology (NIST) has published the Cybersecurity Framework. According to NIST, a “prioritized, flexible and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.”

DHS offers an additional resilience-focused resource, the Cyber Resilience Review (CRR). This free resource can provide insight into an organization’s cyber resilience status and recommend areas for improvement. It includes a “NIST Framework crosswalk” feature to guide alignment and ensure comprehensive program implementation. A fact sheet is available with instructions for conducting a CRR and requesting DHS CRR support.

By following ways we can protect the critical infrastructure:

Energy Sector:

This sector is an underlying operational requirement for most other critical infrastructure. The energy industry carries specific risks and controls must be put into place in order to build resilience to a cyber-attack. One of the most important pieces is to approach cybersecurity training with an emphasis on understanding.

Tip: Make sure that you apply the rules to your everyday work practice and not another “training” that you already know. Speak up if you have ideas or recommendations on making training more accessible or aligned with your work stream.

Drinking Water:

The Dams Sector-Specific Plan tailors the strategic guidance in the National Infrastructure Protection Plan to the unique operating conditions and risk landscape of the Dams Sector. Each sector-specific agency develops a sector-specific plan through a coordinated effort involving its public and private sector partners. The Department of Homeland Security is designated as the Dams Sector's sector-specific agency.

Food and Agriculture:

The Food and Agriculture Sector-Specific Plan details how the National Infrastructure Protection Plan risk management framework is implemented within the context of the unique characteristics and risk landscape of the sector. Each Sector-Specific Agency develops a sector-specific plan through a coordinated effort involving its public and private sector partners. The Department of Agriculture and the Department of Health and Human Services are designated as the co-Sector-Specific Agencies for the Food and Agriculture Sector.

Transportation:

The Transportation Systems Sector-Specific Plan details how the National Infrastructure Protection Plan risk management framework is implemented within the context of the unique characteristics and risk landscape of the sector. Each Sector-Specific Agency develops a sector-specific plan through a coordinated effort involving its public and private sector partners. The Postal and Shipping Sector was consolidated within the Transportation Systems Sector in 2013 under Presidential Policy Directive 21. The Department of Homeland Security and the Department of Transportation are designated as the Co-Sector-Specific Agencies for the Transportation Systems Sector.

Healthcare:

The Healthcare and Public Health Sector-Specific Plan details how the National Infrastructure Protection Plan risk management framework is implemented within the context of the unique characteristics and risk landscape of the sector. Each Sector-Specific Agency develops a sector-specific plan through a coordinated effort involving its public and private sector partners. The Department of Health and Human Services is designated as the Sector-Specific Agency for the Healthcare and Public Health Sector.

So in the above way we can understand the answer of your question.