Skip Navigation
My Board Contact Us

Strengthen your critical infrastructure with a holistic cybersecurity strategy

Author: Chris-Brill Morgan and Peter Clissold
Top down aerial view of Chicago Downtown urban grid with park.jpeg

At a glance

A single layer of security cannot protect an organization's critical infrastructure from threats. Even air-gapped systems, which are deemed highly secure, are far from impenetrable if used on their own. A defense-in-depth strategy is essential for optimal cybersecurity to safeguard operations and protect sensitive data. 
A single layer of security cannot protect an organization's critical infrastructure from threats. Even air-gapped systems, which are deemed highly secure, are far from impenetrable if used on their own. A defense-in-depth strategy is essential for optimal cybersecurity to safeguard operations and protect sensitive data.

The role of air-gapped networks in critical infrastructure security

GHD Digital research indicates that more than half of the global critical infrastructure suppliers have experienced attempts to control and shut down their systems. Additionally, approximately 75 percent of these suppliers believe cyberattacks are becoming increasingly sophisticated. The rising number of cyberattacks on critical infrastructure compels industries to re-examine the state of their own cybersecurity. 

Historically, an air-gapped network has been used as a tactic to protect critical systems. Akin to an island, this standalone industrial automation network is not connected to the internet or other external systems that could influence it. System changes, patches and historical data retrieval would be completed manually using engineering laptops or removable media like floppy disks, CD-ROMs and USB drives.

By severing external connections, air-gapped environments see a reduced attack surface from malicious actors, but they do not eliminate the threat completely. Air-gapped separation of networked environments often employed by industrial sectors that were traditionally stand-alone in nature or where a high level of security is required, such as defense installations, energy and water, petrochemical and transport sectors. 

Air gapping and its vulnerabilities

However, relying on air-gapping alone can put critical infrastructure at greater risk. The findings of the Honeywell Industrial Cybersecurity USB Threat Report 2020 revealed that USB devices could easily bypass air-gapped protections and remain undetected without proper cybersecurity measures. 

Real-world examples of breaches illustrate those isolated systems, despite being valuable security controls, cannot fend off all forms of attack. In 2010, the Stuxnet worm jumped the air gap networks of a uranium enrichment facility by infecting a USB drive, which impacted the Iranian nuclear program. 

Insider threats have emerged as a significant risk to air-gapped environments, effectively bypassing their isolation. These threats typically fall into two categories: malicious insiders, who exploit their authorized access to intentionally compromise or alter systems, and accidental insiders, whose mistakes or oversights can unintentionally cause harm.

From an operations standpoint, the main advantage of a truly air-gapped system can also be its main disadvantage: inaccessibility. Restricted connectivity and communication can hinder business operations, making it difficult to access data and services such as inventory management, energy demand management, production reporting, quality management, etc. Regular updates and maintenance activities can be impractical and cumbersome as they need to be performed manually. Aside from being resource-intensive, air-gapped networks can impede productivity, efficiency and agility, the costs of which organizations can ill afford. 

Security is about layering

The above scenarios show how relying on one tier of protective control is inadvisable. Balancing cybersecurity needs, operational priorities and functionality highlights the need for a comprehensive approach to cybersecurity. 

A defense-in-depth strategy is anchored on the premise of layering an organization’s cybersecurity controls from the origin of the threat actor. This ensures continued protection even if one layer is compromised, thereby strengthening the overall security capabilities of the system. Practicing this approach includes two or more of the following controls: 

  1. Policies and procedures: These establish the foundational rules and guidelines for managing security within the organization. They outline roles and responsibilities, provide a framework to guide decision-making and monitor the cybersecurity risk management performance of the organization.

  2. Physical security: These measures mitigate physical threats by preventing unauthorized access to facilities, systems, subsystems and critical components.

  3. Perimeter security: These controls focus on protecting the boundaries of an organization’s communications network. For instance, air-gapped networks prevent external threats from gaining a foothold within the industrial automation and control system networks. 

  4. Network security: These controls safeguard the organization’s internal local area network from both external and internal threats. Even if an attacker breaches the perimeter, these hinder lateral movement within the industrial automation and control system network. 

  5. Host protection: This secures individual devices or hosts connected to the network. It defends against attacks that target specific systems and prevents them from being used as a launch point for further breaches.

  6. Application security: These measures are designed to protect software applications from vulnerabilities and exploits, such as gaining access to SCADA systems, system setpoints or sensitive data. 

  7. Data security: This is the innermost layer of defense, focused on protecting the organization’s data assets. It protects data integrity, maintains confidential and ensures available only to authorized users. Data in the industrial automation and control system includes configuration information, control algorithms, setpoints, production information and safety interlock messaging.

Embrace an integrated defense-in-depth strategy

A secure ecosystem of critical infrastructure not only provides uninterrupted essential services but also empowers organizations to yield substantial benefits. These include cost savings, enhanced quality and improved operational efficiencies. Consider these steps to elevate your organization’s cybersecurity practice:

  • Adopt a defense-in-depth strategy. Employ a defense-in-depth strategy where each level of protection is assessed against your organization’s objectives. A multi-layered approach helps reduce the likelihood and magnitude of cyberattacks, ensuring that your systems remain resilient and reliable.
  • Apply secure-by-design principles. Cybersecurity should be considered from the outset of system development, integrating built-for-purpose components and architecture for maximum security.
  • Seek secure-by-default products. Products and applications should be secure out of the box with no additional configuration. Security features should be aligned with the requirements of the reference security network architecture.
  • Conduct regular cybersecurity assessments. Implementing security measures isn’t a “set it and forget it” solution. Regular assessments help you identify and address vulnerabilities in systems. 

Connect with our team and take the next step in securing your critical infrastructure. 

Authors

We value your privacy

Use of cookies

This website makes use of cookies to enhance your browsing experience and provide additional functionality, by either storing data on, or collecting data from, your computer.

We use necessary cookies to make our site work. Necessary cookies enable core functionality such as security, network management, and accessibility.

We also use information collected from cookies for various purposes, for example for analysis of website usage patterns. Information about the type, use and purpose of the cookies we use is detailed in our Cookies Policy.

GHD is committed to protecting your privacy. Please see our Privacy Policy for more information.

Cookies, other than necessary cookies, will only be used with your consent. By clicking ‘Accept’ you give us consent to use all cookies. By clicking ‘Reject All’ only necessary cookies will be used. You may disable necessary cookies by changing your browser settings, but this may affect website functions.