The world's critical infrastructure is increasingly under attack and remains worrisomely vulnerable because of a failure to coordinate protection activities and a lack of persistent investment in security, explains a report released today at the 38th Annual General Assembly of the International Security Ligue, Cyber-Physical Security and Critical Infrastructure. The new report is a joint project of the Ligue, founded in 1934 and representing the world’s leading security firms, and the Confederation of European Security Services (CoESS).
“With an expanding threat surface and persistent adversaries, critical infrastructure security requires a coordinated approach that accounts for both cyber and physical security risk,” explained Ligue Secretary General Armin Berchtold during an announcement of the report’s release. “It is hard to overstate how critical this issue is, as even small security failures in connected environments can have cascading effects and devastating impacts on society.”
Relevant for operators and owners of critical infrastructure, policymakers and regulators, and other stakeholders, the report details the oversight and management strategies required to protect nations and societies in the era of connected systems and hybrid threats. It summarizes challenges facing the world’s critical infrastructure and includes deep dives on critical issues by leading security experts from around the world, on topics including integrated security governance, the role of legislation and regulation, unified penetration testing and risk assessment, and the role of public-private partnerships.
“Security threats faced by critical infrastructure today aren’t cyber or physical, they’re both—and, just as often, necessary countermeasures aren’t one or the other. Yet, this convergence hasn’t been matched in how security is managed at the world’s critical infrastructure,” said Garett Seivold, one of the report’s authors.
“Cybersecurity and physical security are addressed in siloes, whether at the operational or legislative level, and this creates vulnerabilities that can have serious consequences in the physical world. At the intersection of these two dimensions is the human factor: most cyberattacks are made possible by accidental, negligent, or malicious human action,” explained Catherine Piana, Director General at CoESS. “To address this burning issue, CoESS and the International Security Ligue teamed up with the aim to raise awareness to this issue through expert contributions from across the world. We hope that this joint white paper will stimulate discussion and trigger action to protect people, assets, and infrastructure.”
The report traces the escalation of risk to critical infrastructure, which multiply as legacy critical infrastructure systems are opened to communication and pushed to the cloud, providing attackers with new opportunities to compromise these high-value targets. Attacks on privately held, often unregulated critical infrastructure operators pose critical risks for societies, and may occur as an outgrowth of geopolitical tensions, criminal enterprises holding systems hostage for ransom, or extremists of all sorts seeking to disrupt the status quo of societies.
The report details the collaborations that are necessary to meet mounting threats: between government agencies and private businesses, public and private security, and among different departments at operators of critical infrastructure. An effective collective defense approach requires recognition that security is truly a shared responsibility between many stakeholders: physical security, network security, operation and facility management, senior management, and others.
The joint Ligue-CoESS report on critical infrastructure security is freely available with the goal of helping to protect societies by enhancing the resilience of the world’s critical systems and can be downloaded here.