Every citizen in every country in the world is dependent upon critical infrastructure. From communications to emergency services, healthcare to transportation — these sectors are essential for modern societies to function. 

Yet in recent years it has become increasingly clear that the world's critical infrastructure is at risk. Attacks on organizations in critical infrastructure sectors have increased dramatically, from less than 10 attacks in 2013 to almost 400 in 2020 — a 3,900% rise.

Public and private sector leaders are raising concerns about the security of the systems that underpin critical infrastructure, and taking steps to roll out new security controls, processes and regulations as a result. 

Here is what security and risk leaders need to know about critical infrastructure systems security and the steps that they can take in 2022 and beyond to reduce the risk of attack: 

Critical infrastructure attacks on the rise

Critical infrastructure sectors are not only essential for the proper functioning of society — they are also interdependent, meaning that an attack on one could have a direct impact on others. 

For example, if a wastewater treatment plant's operation was halted by a cyberattack, it could have cascading effects: 

• Citizens would be deprived of safe drinking water and sanitation
• Fire hoses would not work
• Schools, offices, government facilities and hospitals would be unable to operate 
• The agriculture sector would be impacted
• Nuclear facilities that rely on water cooling would be at risk

Over time, the technologies that underpin critical infrastructure have become more digitized and connected, creating cyber-physical systems (CPS). 

CPS are composed of legacy infrastructure, deployed years ago without built-in security, and new assets, which are also often deployed full of vulnerabilities.

The architecture has resulted in a substantial increase in the attack surface for hackers and bad actors of all kinds, and the CPS that underpin most of this critical infrastructure are under attack. 

For example, the Colonial Pipeline ransomware attack in May 2021 was the most brazen of a string of cyberattacks that impacted CPS in recent years. While the initial attack targeted enterprise IT systems, the company felt they had no other choice but to cease operations. 

Other notable targets have included aluminum provider Norsk Hydro, meatpacker JBS USA, grain supplier New Cooperative and numerous hospitals.

These attacks are not expected to abate anytime soon: Gartner predicts that through 2025, 30% of critical infrastructure organizations will experience a security breach that will result in the halting of an operations- or mission-critical cyber-physical system. 

Attack severity is increasing as well, evolving from the goal of immediate process disruption, such as shutting down a plant, to compromising the integrity of industrial environments with intent to create physical harm by targeting safety-critical systems.

New CPS security directives emerge

Governments across the world are realizing their national critical infrastructure has been an undeclared battlefield for decades. In response, they are mandating more security controls for CPS and increasing their national security efforts to counter attacks on critical infrastructure. 

In the U.S., for example, two security directives from the Transportation Security Administration (TSA) were issued to pipeline operators in the U.S. in July 2021, following the Colonial Pipeline incident.

To shore up critical infrastructure security efforts, governments will employ the three main levers at their disposal:

• The carrot — for example, offering technical assistance, grants to deploy security tools or incentives in the form of rate treatment for bulk electric power.
• The stick — this could manifest in the form of terms and conditions in federal acquisitions, for vulnerability management or incident reporting.
• Public-private partnerships — security information sharing efforts, where governments and private industry share threat intelligence and incident response playbooks more openly.

The implication for critical infrastructure owners and operators is that the pendulum is shifting toward more government involvement in security. New mandates are expected, and they will likely evolve from voluntary to mandatory as incidents multiply.

What's next: Developing a CPS security strategy

More than one-third of respondents to a recent Gartner survey expected to increase spending on operational technology (OT) security by between 5% and 10% last year. For 8% of respondents spending would exceed 10% growth. 

For security and risk management leaders, including CIOs and CISOs, this focus on and investment in CPS security must continue through 2022 and beyond.

Organizations can start by: 

• Developing a CPS security strategy where OT, the internet of things (IoT), the industrial IoT (IIoT) and IT security are managed as part of a coordinated effort.
• Accelerating CPS security stack convergence by inventorying all OT/IoT security solutions used across the organization
• Evaluating the growing list of stand-alone or multifunction platform-based options for interoperability with your IT security tools. 
• Investing in threat intelligence to monitor potential attacks that may impact operations, as early detection is key to stopping attacks before they become a significant threat to operations. 

Organizations should also Incorporate emerging security directives for critical infrastructure into governance. In the U.S., for example, the "national security memorandum on improving cybersecurity for critical infrastructure control systems" is prioritizing the electricity and natural gas pipelines sectors, followed by the water/wastewater and chemical sectors. Join industry groups to stay apprised of security best practices, upcoming mandates and requests for inputs from government entities.

Now is the time for security and risk management leaders to prioritize CPS and critical infrastructure security. Cyberattacks on such systems will continue to increase in volume and severity, and it's important to understand the very real risks that such an attack could present for not only the impacted organization, but for interdependent organizations, systems and sectors as well.