Infrastructure Security Month has something for everyone

Infrastructure Security Month (ISM) has entered its fourth and final week. So far, we have covered shared risk and responsibility, securing public gatherings, and building security and resilience into critical infrastructure. This week the focus is on election security and building resilience into our democratic processes.

As part of the weekly initiative, CISA is expanding outreach to election officials across the United States to remind them of the extensive security resources available through the agency. CISA offers tabletop exercise training for early voting, voting by mail, and election day voting machines and many other cybersecurity resources. CISA’s regional protective security advisors are also available to assess the security of the physical infrastructure around election activity. The Elections Infrastructure Information Sharing and Analysis Center™ (EI-ISAC®) is a non-profit organization that works with CISA to support the cybersecurity needs of the elections subsector.

Infrastructure Security Month has a defined purpose, but we are free to use this month for any purpose we like. You don’t have to be a critical infrastructure stakeholder to benefit from ISM and the many resources provided by CISA. For example:

• A recurring theme of ISM is that infrastructure is a “system of systems.” If one piece of infrastructure is insecure, the entire body of infrastructure is vulnerable. Couldn’t you say the same of your business? Your IoT, workstations, email inboxes, and connected mobile devices are all systems within a greater system. And your system can expand beyond your reach if you are connected to a supply chain or service provider that can access your network. How do you control this? CISA can help you with this, starting with the six basic steps you can begin right now.


• Infrastructure security is more than just cybersecurity. CISA offers resources on mitigating threats around violence and acts of terrorism, but those aren’t the only physical threats to your office space or other facilities. Hurricanes, earthquakes, wildfires, and other disasters can interrupt your business operations directly or through your supply chain. CISA has resources to help plan for disasters and related interdependencies.


• Facilitating collaboration between infrastructure sectors and stakeholders is a primary task for agencies charged with ISM. The National Risk Management Center (NRMC) leverages subject matter experts to collaboratively analyze the threats to high-risk critical functions. For the NRMC, these are industry sectors, like 5G and pipeline cybersecurity. For your business it might be email, e-commerce web applications, or a network of industrial controls. Have you identified your company’s high-risk critical functions? Do you have colleagues, vendors, or a professional network to help you understand and mitigate the associated risks?


• All sectors and companies are at risk of insider threat incidents. CISA describes an insider threat as an act by a current or former employee, third-party contractor, or business partner. Has your company considered these risks? CISA has extensive resources to help you understand risks and warning signs. There are also fact sheets and guides on the role of HR and other departments can prevent these threats. An Insider Threat Program Maturity Framework helps you assess your company’s risk. It was written for government agencies but aligns with the needs of most businesses.


• Tabletop exercises and vulnerability assessments are necessary to ensure the best possible mitigation and response. Tabletop exercises provide valuable opportunities to practice your response to a ransomware attack, natural disaster, prolonged power outage, etc. CISA offers templates and scenarios to help you customize threats to your unique business.

There are far too many resources, activities, and initiatives for us to cover, but here are some of our favorites:

• Infrastructure security overview: This is the introduction to the program and it’s a good place to start if your only experience with CISA is the National Cyber Awareness System. The interactive CISA Services Catalog details the many mission areas of CISA and assists readers in finding applicable resources. The 2021 Infrastructure Security Month guide provides advice and links to more information on the topics covered throughout the month.


• Information and Communications Technology Supply Chain Risk Management: These resources were developed for infrastructure security but can easily be adapted to business scenarios. There are online courses, threat scenario reports, easy to follow leadership guides, detailed information on IoT technology and associated risks, and much more.


• Insider Risk Self-Assessment Tool: Every business can find value in this section. There is a program evaluation assessment worksheet, guidance documents, and a one-pager that provides a simple overview of the program. This document would be helpful to anyone who needs to get buy-in on performing an assessment.


• Infrastructure Resilience Planning Framework: The framework outlines a five-step process that ensures the consideration of security and resilience when making project and investment decisions. There are worksheets and external references that help guide a team through the entire process, from defining the scope through implementation and evaluation.


• Cyber Storm After-Action Reports: Cyber Storm is an extensive test of the nation’s response to a cyber crisis impacting critical infrastructure. These reports detail the outcomes of the simulations, and every company should review key findings and recommendations. For example, one key finding of the 2020 exercise is “In increasingly distributed working environments, some organizations found distributed response could delay coordination and extend response timelines.” The result is a recommendation that companies consider the challenges of the distributed environment in their incident response plans. The exercise, findings, and recommendations are explained in the report. Even if the information isn’t directly applicable, it’s sure to spark some ideas on improving security and incident response.

Infrastructure Security Month is coming to an end, but the threats to our infrastructure, economy, and well-being will continue. You can learn more about these threats and how to combat them at the CISA website.