A Rising Threat
In the past, much of our critical infrastructure was built with analog technology that was much less susceptible to cyber attacks. Not anymore. Most of our nation’s critical infrastructure is Internet dependent and is the target of persistent cyber attacks. Evidence suggests that nation-state adversaries have tested the resilience of our electricity grid to cyber attacks and found significant weaknesses. Recent attacks on our elections and financial infrastructures have also been well documented. It is increasingly clear that a nation-state with the desire to disrupt our critical infrastructures can do so at any time. In the near future, this same capability will be available to unaligned groups such as terrorists. These are clearly sobering observations for the most powerful nation on the globe.
Polls suggest that the public is increasingly aware and concerned about the pervasive cyber vulnerabilities in our critical infrastructure. Reports repeatedly confirm that the organizations charged with providing essential services to citizens and for protecting sensitive personal and financial information from cyber threats are doing a very poor job. What needs to happen to ensure adequate cyber resiliency?
The first step in improving cyber resilience is ensuring that all organizations responsible for critical infrastructure are practicing good cyber hygiene through the implementation of proven best cybersecurity practices. Why do this? The vast majority of successful cyber-attacks continue to exploit inadequate implementation of basic technical and management disciplines—a lack of fundamental cyber hygiene.
Using a consensus process, CIS has documented 20 essential activities conducive to good cyber hygiene through the implementation of proven best practices. The CIS Controls can help defend against the most common cyber-attack patterns. Not coincidentally, CIS has observed that virtually all of the successful attacks against critical infrastructures exploited poor cyber hygiene, most frequently the failure to patch known software vulnerabilities. That is, if the CIS Controls had been implemented, these attacks would not have occurred.
It is important to understand that if organizations do not implement the fundamental best practices and cyber hygiene, all other efforts and expenses to provide enhanced security are literally wasted. Attackers have consistently shown that they focus first on the easily-exploited weaknesses in basic cyber hygiene, such as patching known vulnerabilities, ensuring only authorized hardware and software are permitted to operate, auditing for anomalous activity, and limiting system administrator privileges. Patching (only) some systems against known vulnerabilities just does not cut it. A single unpatched system is all that is needed for an adversary, using automated scanning tools, to exploit that single vulnerability. Once the single vulnerability is exploited, attackers can easily move within the enterprise.
Reducing the Threat Surface
One of the most common cyber vulnerabilities is poor configuration management. Hardware and software are set up by manufacturers for ease-of-use over security; this means that secure configurations must be implemented on every workstation, server, and mobile device within an organization. The CIS Benchmarks provide consensus-based secure configurations for over 100 technologies including operating systems, mail servers, and printers. Free to download in PDF format, the CIS Benchmarks are used by businesses and organizations around the world to help reduce technical vulnerabilities.
With CIS SecureSuite Membership, users can automate configuration checks, implement secure configurations, and view system compliance to the CIS Benchmarks over time. CIS SecureSuite Membership provides access to CIS-CAT Pro, a robust tool that scans systems, compares their settings to the secure benchmark recommendations, and provides a compliance score out of 100. Membership also includes remediation kits (GPOs for Windows and shell scripts for Linux) for rapidly implementing secure configurations.
Learn more about CIS SecureSuite Membership
The Tipping Point
Despite what might appear to be compelling logic for implementing cyber hygiene best practices in critical infrastructures, many organizations lag behind when it comes to cyber defense readiness.
It is time for organizations responsible for critical infrastructures to implement proven cyber best practices like the CIS Controls and CIS Benchmarks. California has provided good leadership in this area by stating that failure to implement the CIS Controls “would be indicative of an organization’s failure to provide reasonable security.”
We have reached a necessary tipping point where the status quo of public apologies after an attack and more free credit monitoring is no longer sufficient. We need those who have authority over our nation’s critical infrastructure to take the prudent steps of requiring basic cyber hygiene and holding leadership accountable for failure to do so. It is truly time to get serious about protecting our nation's critical infrastructure.