Critical Infrastructure Cybersecurity and Resilience, a Shared...

Critical Infrastructure Cybersecurity and Resilience, a Shared Responsibility

By Daniel Dobrygowski, Head of Governance and Policy, World Economic Forum Centre for Cybersecurity

Daniel Dobrygowski, Head of Governance and Policy, World Economic Forum Centre for Cybersecurity

Cyber risk is business risk. Global companies have accepted this fact and are learning to deal with it (although some are quicker studies than others).

In critical infrastructure, cyber risk is not just business risk, but it is also a systemic risk that can threaten lives and the stability of nations. The dependence of households, businesses, and vital institutions on certain infrastructure has always made reliability of those components paramount. In critical infrastructure systems, dealing with physical risks such as natural disasters or component failure has always required robust mitigation and recovery plans. Today, however, ensuring this reliability requires a cyber security and resilience strategy that is just as carefully planned.

Furthermore, it is no longer enough for any one company to secure its own networks. Instead, combating cybersecurity risks in critical infrastructure requires signification cooperation between layers within companies, between companies across an ecosystem, and between companies and governments.

The idea that a computer vulnerability could cross the cyber-physical divide and impact the real world was once only theoretical. However, at least since 2007, when the “Aurora” experiment proved that cybersecurity risks in the utility industry are not constrained to the network domain, and certainly since 2010 when the Stuxnet virus was able to generate actual failure of physical systems, we have seen that this threat demands attention. Moreover, usage of new digital technologies to impart efficiencies into power grids and other infrastructure, enabling decentralized control has accelerated the pace at which our virtual and physical worlds are merging, thereby expanding the surface for malicious actors to exploit.

The only way to deal with this rapid expansion of the attack surface is to establish mechanisms to work together to solve critical cybersecurity issues. In order to successfully ensure cyber resilience in critical infrastructure, individuals, companies, and governments will need to cooperate more effectively.

Organization-Internal Cooperation

Understanding and mitigating risk is a leadership responsibility. In most companies, it’s a responsibility that ultimately sits with the board of directors. However, thanks to the relatively novelty of cyber risk, most board members are woefully underprepared to set corporate strategy in the face of cybersecurity challenges, let alone foster the development of a security culture. That needs to change quickly.

Many corporate boards do not feel equipped to manage cyber risks with the same level of confidence that they manage other risks. Leading practices have not yet become part of the standard set of board competencies. This knowledge does, however, reside with technical managers.

This is why cooperation is the key to success. Manager of technical (IT and OT) functions must be much more prevalent in boardroom discussions. At the same time, boards, senior executives and technical managers have to come together to develop a common language (ideally a language that uses risk and business-focused rather than technology-focused terms) in order to understand each other and understand the risks they need to mitigate in order to achieve the benefits that technology can bring to the company.

See Also: Best Cybersecurity Companies

"It is no longer enough for any one company to secure its own networks"

Ecosystem-wide Cooperation

But even if an infrastructure company has the perfect security culture and has made security and resilience a component of its overall strategy, that company is still working in an ecosystem where cyber risk travels fast and spreads wide.US Secretary of Homeland Security, Kirstjen Nielsen, put it best at the RSA Conference in San Francisco in April of 2018, when she said, “Hyperconnectivity means that your risk is now my risk and that an attack on the ‘weakest link’ can have consequences affecting us all.”

Infrastructure systems are so complex that the organizations involved rely on countless partners to provide business critical components and services (everything from core operational assets and smart devices to legal and consulting services). Each of these partnerships require some level of systems interaction and may even involve the exchange of highly sensitive information. This only adds to a firm’s exposure as these partnerships create a broad, complex, and multidimensional ecosystem. Malicious actors can then exploit this multiplicity of new connections, vastly expanding vulnerabilities.

Therefore, leaders in these critical areas need to take an ecosystem-wide view and evaluate the role and impact that connected enterprises (producers, distributors, vendors, users, regulators, etc.) have on their cyber resilience strategy (and vice versa).

Public-Private Cooperation

Whether the attacker is a terrorist, a criminal gang, or even another nation, states have historically born the sole responsibility for security within their borders. Thanks to digital networks and the internet, however, borders are now fluid, easily permeable, and the entirety of an attack surface may be in private hands. For this reason, especially where critical infrastructure is concerned, we need to develop a new logic of cooperation between public and private.

Effective cooperation requires a renegotiation and redefinition of roles and responsibilities. For the most part, cybersecurity obligations have been left to the private sector, implicitly in exchange for more limited regulation regarding how a firm goes about securing its networks (although it may not always seem more limited). Governments will need to step up their efforts to ensure more system-wide security while, at the same time, foregoing the creation of cyber weapons that can be turned against their own infrastructure. In order to better ensure overall security, companies must take a more constructive approach to working with regulators to foster greater security. If done thoughtfully and with input from all stakeholders, governments can incentivize security-by-default through smart and agile regulation working with the companies putting these technologies into place.

We need to all work together to proactively define and understand our shared responsibilities to protect the networks that underpin critical infrastructure. Otherwise, we may be left in a future state where no one understands their responsibilities, and no one takes responsibility, until it's too late.

Check out: Cyber Security Review Magazine

Weekly Brief

Top 10 Critical Infrastructure Protection Solution Companies - 2020

Read Also


Venessa A. Sims, GA-CEM, MEP Director of Emergency Management, Georgia Department of Agriculture


Tim Dubois, Chief Information Officer, City of Kalamazoo
Preparing Your Business for Survival

Preparing Your Business for Survival

Jason Marks, BS, Director of Emergency Management and Preparedness, Peoria City/County Health Department, Peoria County Emergency Management Agency


Jeff Johnston, CEM, Asst. City Manager / Deputy EM Coordinator, City of McAllen, Texas
Technology in Colorado: Our Next Steps in COVID-19 Innovation

Technology in Colorado: Our Next Steps in COVID-19 Innovation

Chynna Cowart, COVID Testing and Containment Communications Lead, Colorado Department of Public Health and Environment
You Are Not What You Say You Are; You Are What Your Data Says Your Are

You Are Not What You Say You Are; You Are What Your Data Says Your Are

Brian Marcos, CFO, Deputy Fire Chief & Deputy Director of Emergency Management, Smyrna Fire Department