Safeguarding critical infrastructure organizations
Using IT cybersecurity to prevent operational disruption
Critical infrastructure operators support the backbone of modern society — and that makes them prime targets for cybersecurity attacks. Unlike with other industries, the cybercriminals and nation-states launching attacks against these organizations rarely want to steal data. Instead, they want to create operational disruption that causes economic harm and produces serious repercussions for millions of people.
Attacks on critical infrastructure operators are growing. In 2023, the CIO at the Transportation Security Administration (TSA) said that the rising number of cyber attacks on US infrastructure and the increasing cyber capabilities of foreign adversaries meant that we had entered a cyber war. And in fact, attacks on US transportation, water, and energy operators have been linked to state-sponsored cybercriminals.
In 2024, the US Environmental Protection Agency (EPA) echoed the TSA sentiment, noting that “Recent high-profile incidents at water systems have demonstrated the urgency needed to address cybersecurity weaknesses and vulnerabilities to physical attacks.” The same year, the North American Electric Reliability Corporation (NERC), a not-for-profit international regulatory authority, warned that US power grids are becoming increasingly vulnerable to attacks, with the number of susceptible points in electrical networks increasing by about 60 per day.
Attacks in the last few years demonstrate how relatively small initial breaches — even of seemingly discrete IT systems — can have enormous consequences on operations:
Colonial Pipeline: The 2021 attack on Colonial Pipeline was relatively simple: The attackers used compromised VPN credentials to steal data and deploy ransomware in IT systems, including billing and accounting systems. Either to prevent the spread of the attack or to avoid billing problems for fuel distribution, Colonial Pipeline shut down their operations. And that caused a panic, as people alarmed by the headlines scrambled to buy gas.
Oldsmar, Florida, water treatment: Earlier that same year, someone remotely accessed critical systems of a water treatment facility in the small town of Oldsmar, Florida, and briefly changed the levels of lye in the drinking water. Though a plant operator quickly reversed the change and no one was harmed, the incident highlights how a cybersecurity attack can affect the health and well-being of community members.
These types of attacks demand change to how IT cybersecurity teams support operations. In the past, many IT security and operational technology (OT) teams were distinct. IT security focused on defending against cybersecurity threats while OT concentrated on keeping systems up and running.
Modern cybersecurity threats require IT security teams to expand their role. They must apply a full range of cybersecurity capabilities to OT to prevent devastating disruptions.
Why apply operational technology to IT security
IT and OT systems began converging more than a decade ago. The implementation of industrial IoT sensors, remote monitoring systems, and cloud-based analytics has connected IT and OT environments.
This connection enables operational efficiency, but it also creates new pathways for adversaries. As the Colonial Pipeline attack showed, attackers no longer need to compromise an industrial control system to produce a severe operational disruption. A compromised laptop now offers a path to that industrial control system. A misconfigured cloud service can expose supervisory control and data acquisition (SCADA) networks.
Applying IT security capabilities to OT is essential for blocking those pathways for attackers. Yet too few critical infrastructures have implemented a unified approach that uses cybersecurity capabilities to protect both IT and OT.
The potential for losing tens of millions of dollars for a few days of disruption makes a strong economic case for implementing that unified approach immediately. A security platform that prevents just one day of unplanned downtime often pays for itself within the first incident.
"Critical infrastructure operators should treat IT security as operational insurance, not just data protection."
Three-step strategy for applying IT security to operational technology
To protect operations with IT security, most critical infrastructure organizations require a three-step strategy. Starting with urgent needs, then following with best practices and a risk-based framework, can help you handle threats now and in the future.
Address high-priority risks
Shutting down phishing schemes should be one of your first priorities. Many cyber attacks — on critical infrastructure operators and other organizations — begin with phishing. Attackers attempt to trick users into providing login credentials for enterprise systems or clicking on links that download and spread malware through the company network.
Combating phishing often demands multiple, integrated solutions. For example, deploying an email security solution can stop phishing emails from arriving in users’ inbox. And employing a secure web gateway (SWG) solution can prevent users from reaching malicious sites, even if they are tricked into clicking on a malicious link within an email or message.Implement foundational cybersecurity best practices
Once you’ve addressed the most immediate needs, it’s time to implement a more comprehensive approach that enables you to identify and mitigate vulnerabilities, protect systems and data, detect threats, and respond to attacks rapidly.
Identify: Your IT security team should find and address all vulnerabilities that could enable attackers to disrupt operations.
For example, engineering workstations are often targeted by attackers because they access both enterprise applications and industrial control stations. These workstations typically run specialized engineering software with elevated privileges and relaxed security controls. IT security can break the attack chain by protecting engineering workstations with microsegmentation. Instead of treating workstations as trusted bridges between networks, you should use a security platform that can monitor every connection, validate every communication, and instantly isolate suspicious activity.
Security teams also need to address potential vulnerabilities in public-facing applications, which are frequent initial entry points for attacks. Implementing a web application firewall (WAF) can help block threats in real time while maintaining operational continuity.
Protect: Strengthening access controls and improving data protection are essential for avoiding serious operational disruptions.
Transitioning to a zero trust security model enables you to prevent unauthorized access to IT systems that can lead to operational disruptions. With a zero trust network access solution, you can ensure that only the right users with the right authorization can access specific applications. This can help prevent any lateral movement by attackers within your environment from scanning the network.
Detect: IT security teams must anticipate emerging threats so they can put the right preventive measures in place.
Adopting an advanced cybersecurity platform enables you to analyze attack patterns across global networks and spot campaigns targeting specific industrial sectors or control system vendors. This threat intelligence could reach your security team hours or days before any actual attack. Your IT security platform could then proactively block the attacking infrastructure, patch vulnerable systems, or implement compensating controls — all before operational systems are at risk.
This approach is a fundamental shift from reactive security to predictive operational protection. IT security becomes an early warning system for operational reliability threats.
Respond: Responding to threats in real time requires automation.
A WAF service that uses machine learning can identify and autonomously block threats in real time. For some critical infrastructure organizations, adopting a security operations center (SOC)-as-a-service solution will be an important supplement to WAF, DDoS, and other security solutions. The SOC service can respond rapidly to attacks while also conducting root-cause analyses, delivering thorough incident reports, and helping devise plans for future countermeasures.Adopt a risk-informed framework
Many critical infrastructure operators will benefit from following the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to manage cyber risk. The CSF is designed to help organizations of all sizes better understand, assess, prioritize, and discuss cybersecurity risks. It is particularly useful for managing complex environments — including environments where IT and OT are converging.
While the framework does not recommend specific solutions, it can help you identify needed security capabilities and process improvements. You can use the framework to develop an efficient strategy for using IT security to maintain uninterrupted operations.
Enabling IT and OT convergence
Really, the question isn’t whether IT security should protect OT systems. It’s whether your current security architecture is ready for its expanded role.
Cloudflare offers a full range of cloud-native cybersecurity capabilities to address key threats that can lead to operational disruptions for critical infrastructure operators. With Cloudflare services, organizations can gain actionable threat intelligence, automatically block threats, stop phishing schemes, and establish a zero trust model to prevent unauthorized network access. An SOC-as-a-service offering enables organizations to offload monitoring, threat detection, and incident response work to an expert team.
These and other services can help you meet and exceed the cyber protections recommended in the NIST CSF. With Cloudflare, you can efficiently and effectively use IT security to address the risks that lead to operational disruptions.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Dive deeper into this topic.
Learn more about the best practices for IT modernization projects that can help you strengthen security and prevent operational disruptions in The simple way to efficient IT for federal agencies ebook.
Author
Dan Kent — @danielkent1
Field CTO for Public Sector, Cloudflare
Key takeaways
After reading this article, you will be able to understand:
The impact of operational disruptions for critical infrastructure
3 step strategy for applying IT security to operational technology
Key security capabilities for protecting operational technology