Critical infrastructure cybersecurity has become paramount as sophisticated adversaries exploit vulnerabilities in information system technology (IT) and operational technology (OT) that support the nation’s power grid, water supply and other essential services.
Groups like Volt Typhoon, a group with links to the Chinese Communist Party, have shown how easily they can target essential services using living off the land (LOTL) techniques and network administration tools to hide their activity. These groups target a range of sectors, including education, healthcare, telecommunications, maritime operations and utilities, such as electricity and water.
As a result, the stakes are incredibly high. The compromise of U.S. critical infrastructure by groups like Volt Typhoon is thought to lay the groundwork for disruptive assaults if the U.S. and China were to go to war.
Iran, North Korea and Russia are also known to target U.S. critical infrastructure. For instance, multiple Iran-based cyber adversaries have been exploiting all sectors of U.S. critical infrastructure. More often, these threats are delivered in the form of ransomware, seeking to cripple organizations and wreak havoc where it hurts the most — economically. The Russian military has been charged with carrying out cyber operations against U.S. critical infrastructure for espionage, sabotage and reputational harm since at least 2020.
Security teams must adopt a proactive approach to cyber risk management to safeguard critical infrastructure, anticipating and countering the strategies of well-resourced, highly motivated adversaries. If they fail to act as quickly as their attackers, critical infrastructure will remain vulnerable, significantly damaging essential services necessary for daily life and public health.
The patch management battle to protect critical infrastructure
Patch management must be part of cyber defensive measures to protect critical infrastructure agencies and companies. Like government agencies, the critical infrastructure sector is in a race to stay ahead of adversaries. However, patch management remains a challenge for many of these large entities with thousands of diverse applications in their IT environments.
When a patch is released for a software vulnerability, adversaries reverse engineer it the same day that security teams are still trying to understand its significance. For instance, the blue team prioritizes which patches to apply, but they could have 40 different tasks to perform when Microsoft issues its monthly patches. Furthermore, some operating systems and applications are not patched monthly; others are never assigned a Common Vulnerabilities and Exposures (CVE) number. The attack surface keeps expanding. In such a complex environment, assessing vulnerabilities and applying the appropriate patches can take a security team anywhere from 30 to 90 days, depending on the complexity and number of systems involved. However, adversaries can take the patch, examine where the problems exist, and weaponize it in about 15 days or less. This gap provides adversaries like Volt Typhoon with a 15-day window to exploit vulnerabilities if they are remotely accessible.
Implementing proven cyber risk frameworks in critical infrastructure protection
Critical infrastructure security teams must apply a framework-driven approach to holistically assess where risks exist, such as the National Institute of Standards and Technology Risk Management Framework or the Center for Internet Security (CIS) Critical Security Controls. NIST RMF uses NIST Special Publication 800-53, which contains over 160 security controls. CIS has 18 domains, which cover areas such as inventory and control of hardware assets, software asset management, data protection, secure configuration, account management, access control, vulnerability management, network monitoring, security awareness training and incident response. These domains offer a prioritized list of actions for critical infrastructure that cyber defense teams can take to protect their data and systems from cyberattacks, creating a foundation for a cybersecurity program across different organizations or agencies.
Consider this: A critical infrastructure agency has applied the necessary security controls and evaluated the entire organization to determine its strengths and weaknesses, and identify gaps. The team has evaluated all the high-value assets and architectures. Now they have a risk-based view of the entire agency. The IT and security operations teams can then assemble a roadmap that senior leadership can champion. This risk-based process is what many organizations in the critical infrastructure sector lack, which contributes to inadequate cyber hygiene.
Establish a risk operations center (ROC) to aggregate risk data across cybersecurity, operations and finance, creating a unified threat view.
Once critical infrastructure cybersecurity teams become aware of a cyberattack, they need to focus on the threat in a risk context and how their patching processes need to change depending on the adversary, how likely the adversary is to exploit a vulnerability, and what the adversary’s objective is. Next, they should prioritize critical patch management and remediation methods for cyber threats and vulnerabilities, including zero-day exploits and legacy software that cybercriminals can target. These proactive measures are essential for combating risks like unpatched vulnerabilities and protecting digital frameworks against attempted cyberattacks.
As the cyber risk management landscape continues to evolve, the concept of a ROC emerges as a critical milestone. The ROC represents a giant step forward from the reactive stance of security operations centers (SOCs). Aggregating risk data across cyber, operations and finance departments, a ROC combines disparate areas across the enterprise to provide a single view of threats and facilitates risk-based decision-making and planning.
By consolidating various risk signals, ROCs provide government agencies and critical infrastructure with a comprehensive understanding of threats to enhance resilience.
Because risk is an ever-evolving challenge, the ROC serves as a cross-functional collaboration platform for unified risk management and coordinated response to risks in real time. It aggregates, normalizes and prioritizes risk data, enabling organizations to anticipate and address risks before they materialize into full-blown attacks.
Embrace risk-based prioritization to focus on what truly matters, ensuring that critical tasks receive the attention they deserve, and that human resources are used efficiently.
Many cybersecurity professionals say, “Everything is important.” One cannot disagree. However, if everything is critical, nothing is. As a result, cybersecurity teams must prioritize their top risks. If a team has 18 domains and over 160 security controls to filter through, they must pick the top three risks.
After prioritizing risks, security teams must find gaps and realities that they did not know existed, such as the server being exposed to the internet that a hacker group could exploit. The ROC would give critical infrastructure security teams this level of visibility and awareness in a framework-driven world. If these teams have visibility, are hitting the cyber risk management fundamentals, and are improving their cyber hygiene, they will build a more cyber-resilient culture within their organizations.
If cybersecurity teams adopt a process-dependent approach rather than relying on individual expertise, they gain an edge over cyber adversaries. A risk-based strategy, as opposed to focusing solely on CVE lists, indicates success in achieving cyber risk goals. If you can get senior management buy-in and alignment to protect the highest-value assets of critical infrastructure, this will help them attain their risk prioritization goals. Finally, the organization has reached top-tier cyber risk management measures if every stakeholder understands the prioritized threats and defenses and can effectively demonstrate this understanding.
Enhance critical infrastructure protection by elevating security through integrating cyber threat intelligence, automation and artificial intelligence.
Cyber defenders should think of critical infrastructure protection like a pyramid. There is a lot of focus on core cybersecurity fundamentals. However, applying cyber threat intelligence is also essential to combat targeted threats. Cyber intelligence involves collecting, analyzing and interpreting data about potential cyber threats to proactively identify and prevent cyberattacks. Cyber intelligence helps cybersecurity analysts understand the tactics, motives and capabilities of adversaries. To that end, cyber threat intelligence should be at the top for organizational leadership, along with a trained cadre of specialists who understand the types of advanced persistent threats (APTs) that adversaries use.
Automation and AI are pivotal to the equation. Automation speeds up repetitive cybersecurity tasks, eliminates the risk of human error, and helps in applying security processes consistently. In threat detection and response, AI can help analyze massive volumes of real-time data and recognize patterns and potential threats.
Ensuring the safety of critical infrastructure requires a proactive, risk-based approach coupled with a unified response strategy.
Achieving cyber resilience for critical infrastructure requires integrating cyber risk management, risk prioritization and establishing a ROC. The ROC will be pivotal in this framework by providing continuous monitoring, rapid response capabilities and a centralized hub for coordinating cyber risks.
Together, by integrating cyber risk management, risk prioritization and establishing a ROC, this enables a proactive and adaptive cybersecurity posture that will help critical infrastructure organizations stay ahead of evolving cyber threats and maintain operational continuity.
Finally, to excel in protecting critical infrastructure from domestic and foreign cyber threats, it is essential to have cybersecurity experts who understand both the current adversary landscape and the appropriate cyber risk management tools to achieve their security goals.
Ken Dunham is cyber threat director at Qualys Threat Research Unit.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
