Critical Infrastructure Security and Resilience Month focuses on bolstering US infrastructure against cyber threats

November is usually recognized as ‘Critical Infrastructure Security and Resilience Month’ in the U.S., highlighting the importance of reminding asset owners and operators to step up and focus on safeguarding these vital installations. The nationwide effort is focused on raising awareness and reaffirming the commitment to keeping the nation’s critical infrastructure secure and resilient.

Spearheaded by the Cybersecurity and Infrastructure Security Agency (CISA), the initiative aims to enhance awareness and collaboration among public and private sectors to protect critical infrastructure from evolving threats. The month-long campaign highlights the interconnectedness of infrastructure sectors, such as energy, transportation, and healthcare, which are vital to national security, economic stability, and public health. Each week throughout November, CISA will spotlight a different way to think about building security and resilience across critical infrastructure.

U.S. President Joe Biden released a proclamation on Critical Infrastructure Security and Resilience Month calling upon the people of the U.S. to recognize the importance of protecting the Nation’s infrastructure and observe this month with appropriate measures to enhance national security and resilience.

CISA emphasizes the need for a proactive approach to infrastructure security, advocating for robust risk management strategies and adopting innovative technologies. By fostering partnerships across various sectors, CISA seeks to build a resilient infrastructure capable of withstanding and recovering from disruptions, whether natural disasters, cyberattacks, or other emergencies. 

Throughout the month, CISA will provide resources, tools, and training to help critical infrastructure organizations identify vulnerabilities and implement effective security measures. These initiatives typically focus on engaging in preparedness activities, reinforcing the collective responsibility of safeguarding critical infrastructure. As threats continue to evolve, Critical Infrastructure Security and Resilience Month serves as a crucial reminder of the ongoing efforts needed to protect the backbone of modern society.

Aligning OT security with CISA efforts

Industrial Cyber consulted OT sector executives to identify key security and resilience challenges this year and their alignment with CISA’s mission.

David Mussington, CISA’s executive assistant director for infrastructure security identified that Critical Infrastructure Security and Resilience Month (CISR) is the CISA’s annual effort focused on educating and engaging all levels of government, infrastructure owners and operators, and the American public about the vital role critical infrastructure plays in the nation’s security and why it is important to strengthen critical infrastructure resilience. 

“This November, as we celebrate CISR Month, we are continuing with our enduring theme of Resolve to be Resilient and asking everyone to prepare for and invest in resilience today, so we can withstand or recover quickly in the event of an incident tomorrow,” Mussington told Industrial Cyber. “Resilience means doing the work upfront to prepare for and adapt to changing risk conditions, including the ability to withstand and recover rapidly in the aftermath of any significant disruption.”

He added that incorporating resilience strategies into planning helps protect lives and jobs, keeps communities connected, reduces economic disruptions to supply chains, and encourages innovative solutions to reduce harm to communities. 

Mainstay threats and hazards such as evolving technology, cyber and physical attacks, and weather impacts remain focus areas with technology, with both the adversarial offensive and owner/operator defensive sides gaining more attention, O.T. (Ollie) Gagnon III, principal representative of the Idaho National Laboratory (INL) to the U.S. Department of Homeland Security, told Industrial Cyber. “Enhancing cyber defense technology through artificial intelligence (AI) is emphasized with a focus on responsible adoption and use.” 

At the national level, Gagnon pointed out that the CISA continues to roll out a resilience-enhancing AI roadmap centered on AI-enabled software tools, engaging stakeholders, and expanding internal AI expertise. “While emphasis shifts in certain areas to considerations like AI, the overall trend is adapting to changing conditions through an all-hazards approach.”

Martine Chlela, global head of delivery for industrial cybersecurity at Black & Veatch, told Industrial Cyber that this year, the surge in ransomware attacks and supply chain disruptions has underscored the need for robust security frameworks. “In addition, skill gaps are still being addressed, and integrating cybersecurity into the lifecycle of industrial systems remains critical. This aligns with CISA’s mission to enhance the nation’s resilience against these evolving threats by encouraging a holistic approach to cybersecurity and providing different tools and best practices.”

As organizations scale products quickly to gain a competitive edge, security often gets left by the wayside in the software development cycle, Robert Huber, CSO and head of research at Tenable, told Industrial Cyber. “The burden of securing products should not be placed on the shoulders of customers. CISA’s Secure by Design Pledge rolled out a few months ago, was a step in the right direction for software developers to embrace secure-by-design practices and commit to working towards a series of secure software development goals and practices, including increasing the use of multi-factor authentication; reducing the prevalence of one or more vulnerability classes across products; publishing a vulnerability disclosure policy; and improving transparency in vulnerability reporting,” he added.

Paul Veeneman, board secretary at InfraGard Member Alliance said that 2024 has brought focus to AI-driven defense against AI-augmented traditional threat vectors such as phishing, improved ransomware protection, and heightened supply chain security. “These mesh with CISA’s goal and mission of leading security and resilience efforts, reducing risks to the nation’s critical infrastructure.” 

He added that threats predominantly continue to come by way of enterprise IT, compromised integrations and dependencies of IT systems, and exposed and unsecured OT devices and networks, which can result in downtime or impact on OT process environments.

Gauging CISA’s collaborative efforts against rising threats

The experts address CISA’s collaboration with other agencies, the private sector, and international partners, evaluating if these efforts are sufficient to tackle escalating threats.

Mussington said that CISA serves as America’s cyber defense agency and the national coordinator for critical infrastructure security and resilience. “In this role, we have the unique mission to understand, manage, and reduce risk to our cyber and physical infrastructure. This mission can’t be accomplished in isolation; it requires a collaborative approach with all levels of government, the international community, and with industry.”

“Our partnerships across the public and private sector, and larger international community are essential for several reasons,” Mussington continued. “First, the majority of U.S. critical infrastructure is owned and operated by industry. This makes the expertise, insights, and collaboration of our industry partners indispensable to our efforts. Second, the digital threats we are facing are increasingly sophisticated and transnational. Our cyber adversaries are targeting our businesses, our communities, and our way of life. To combat these threats, we must leverage the full spectrum of capabilities and resources available across government and industry.” 

He highlighted that this is critical because “we know that in the interconnected world we live in, the challenges we face are not confined by borders. Cyber threats – whether from state actors, criminal organizations, or individual hackers – transcend boundaries. No country is immune, and no sector is untouched. The energy grids that power our cities, the financial systems that drive our economies, and the healthcare infrastructure that keeps us healthy – all these critical systems form the backbone of modern society. Their security is not just a national issue; it’s a global necessity.”

Mussington added that “an attack on one nation’s critical infrastructure can ripple across the world. We’ve seen firsthand how ransomware attacks can paralyze hospitals, K-12 schools, and our water systems. The recent CrowdStrike outage, which had effects on a global scale, also demonstrated the need for technology manufacturers to develop products that are inherently designed with quality and security in mind.”

“Coordination and collaboration have increased due to the homeland security community’s shared understanding that interconnected critical infrastructure both in the physical and cyber domains and between them, poses significant risk considerations,” Gagnon said. “Whether global supply chains, technology advances, or assuring lifeline sectors such as energy, water, transportation, and communications, owners and operators recognize a sustained collective effort enables resilience within an increasingly complex risk environment.”

Chlela said that the CISA collaborates with various stakeholders to enhance national cybersecurity. “When it comes to federal agencies, CISA collaborates with the U.S. Federal Bureau of Investigation (FBI) on threat intelligence and investigations, the U.S. National Security Agency (NSA) for sharing vulnerabilities and threat information, and the U.S. Department of Homeland Security (DHS), which works closely on national security and infrastructure protection. As for state and local governments, the state cybersecurity offices work closely with CISA and the local law enforcement partner in sharing threat information and response strategies.” 

As for the private sector, Chlela added that CISA collaborates with Information Sharing and Analysis Centers (ISACs) focused on various critical infrastructure sectors as well as major tech companies to share vulnerability and threat information. Finally, International partners of CISA include NATO working collectively on cybersecurity defense strategies, and the European Union Agency for Cybersecurity (ENISA) sharing threat intelligence and best practices.

“While CISA’s collaborative approach is a step toward addressing cybersecurity concerns, challenges still remain. These include the ever-evolving threat landscape that requires constant adaptation and innovation in response to strategies and technologies,” according to Chlela. “Additionally, advanced training and awareness programs face resource limitations, stressing the need for increased funding. Engaging diverse stakeholders also presents challenges in ensuring comprehensive security, highlighting the need for formal collaboration frameworks with different stakeholders.”

Huber mentioned that CISA regularly partners with organizations from across the globe including Australia, Canada, New Zealand, the U.K., and the U.S., to issue joint advisories on emerging cyber threats. “These advisories offer valuable insights into vulnerabilities and attack methods, which can be critical for organizations to incorporate into their security strategies. By leveraging the right security technology, organizations can ensure they’re integrating global advisories like those from CISA and other partners into their security posture, keeping defenses up-to-date and aligned with the latest threat intelligence.”

He added that the CISA also works closely with industry stakeholders through the Joint Cyber Defense Collaborative (JCDC) and the critical infrastructure sector coordinating councils. “This partnership helps ensure that CISA advisories are informed by private sector actors who are on the front lines for the majority of cyber incidents. Even if an organization lacks the resources to manage a full-fledged threat intelligence program, modern security technologies often provide built-in tools to integrate information from these advisories. For example, exposure management platforms allow the automatic ingestion of threat feeds.”

Veeneman said that despite significant efforts the nation is still struggling to get ahead of cyber threats, as many organizations fail to master basic security hygiene. “According to the Office of National Cyber Director (ONCD) 2024 Report on the Cybersecurity Posture of the U.S., while 92 percent of federal initiatives have been successfully completed, challenges remain.”

Exploring critical infrastructure support and implementation challenges

The experts discuss the resources provided by CISA to support critical infrastructure, the manner in which organizations can effectively utilize these resources, and the challenges faced in implementing the agency’s recommendations.

Mussington said that the CISA develops guidance and provides risk assessments, cross-sector risk analyses, information sharing, and capacity building for government partners and critical infrastructure owners and operators. “This role of the coordinator is key because our success at CISA relies on operational collaboration across partners in the public and private sectors – and the acknowledgment that we must respond to incidents impacting our nation in a collaborative and unified way.” 

“As a government entity, we are fully aware that we cannot tackle the threats posed by our biggest adversaries on our own,” according to Mussington. “We must maintain robust operational collaboration with the private sector – because the private sector owns and operates the majority of the nation’s critical infrastructure and, in many cases, has the greatest insights into the scope and scale of many cyber threat actors. It is only by deepening our partnerships that we are able to share information broadly about threats and vulnerabilities, enabling early warning, and preventing other victims from getting attacked.”

Stakeholders can access a sea of resources, Gagnon said, but it’s challenging to navigate the sheer volume without drowning out of frustration. “This is where CISA, through its service delivery model executed from the headquarters through the 10 regions field force, provides great value with resource mapping. With limited time and funding, having trusted and skilled advisors — whether CISA or sector-focused resources from a variety of sources — can effectively and efficiently enhance security and resilience while driving coordination and collaboration,” he added.

Chlela noted that CISA offers critical resources such as the Cybersecurity Framework, sector-specific guidance tailored to various industries (e.g. CISA’s efforts to enhance security for water and wastewater facilities), best practices (e.g. CISA’s best practices in securing software supply chains and implementing software bills of materials), toolkits (e.g. ransomware response toolkit) and strategies (e.g. Cybersecurity Workforce Development Strategy). “As different organizations have different maturity levels, it is important to specifically understand the operational context of the critical infrastructure sector and adapt the recommendations.”

“CISA offers a variety of resources to help organizations protect critical infrastructure, including assessment toolkits, free cyber scanning services, and cybersecurity assessments amongst others,” Huber disclosed. “These tools are designed to help organizations of all sizes identify vulnerabilities and improve their security posture with best practices. However, for smaller organizations with limited cybersecurity resources, applying CISA’s recommendations can be challenging. These companies may struggle to effectively implement the findings and manage ongoing risk assessments. To address this, small organizations may need to engage external partners.”

Veeneman observed that CISA’s key initiatives, Identify and Verify, Understand, Build and Maintain, Share, and Collaborate for all sectors of critical infrastructure prioritize workforce development, OT security, fostering public-private partnerships for threat intelligence sharing, while also offering vulnerability scanning, Cyber Resilience Reviews (CCR), and Validated Architecture Design Review (VADR), and the Cyber Security Evaluation Tool (CSET).

Reviewing infrastructure resilience measures

The executives examine the measures taken by critical infrastructure sectors to enhance resilience and prepare for operational disruptions.

Throughout November, Mussington mentioned that the agency will highlight how critical infrastructure organizations can Resolve to be Resilient by integrating certain practices that will make critical infrastructure secure, resilient, and able to bounce back quickly and build back stronger from an incident. 

He listed: 

• Know Infrastructure and Dependencies. Organizations should identify their most critical systems and assets for their operations and understand potential dependencies on other infrastructure systems and assets that enable the continuity of their operations. 
• Assess Risks. Consider the full range of threats and hazards that could disrupt an organization’s infrastructure operations and evaluate specific vulnerabilities and consequences the threats and hazards could pose. 
• Make Actionable Plans. Organizations should develop both a strategic risk management plan to reduce the risks and vulnerabilities identified as well as actionable incident response and recovery plans to help withstand and rapidly restore operations with minimal downtime. 
• Measure Progress to Continuously Improve. Exercise incident response and recovery plans under realistic conditions and periodically evaluate and update strategic plans. An organization’s ability to proactively prepare for and adapt to changing risk conditions starts with fostering a culture of continuous improvement, based on lessons learned from exercises and real-world incidents.

Gagnon commented that many entities have widened their support lens to mitigate risks by building on the resources provided by CISA with a variety of other sources. “The entities are working with academia, industry, and sector centers of excellence due to the high level of demand for security and resilience solutions.” 

“We at Idaho National Laboratory, and many other research and development centers, have seen an increasing demand from stakeholders seeking to leverage unique capabilities, facilities, and experts to solve complex resilience challenges.” according to Gagnon. “This trend led us to establish the INL Resilience Optimization Center to focus on holistic solutions to national challenges. Relying on sole provider solutions is not conducive to effectively tackling current or future resilience challenges.”

Sectors are increasingly adopting technologies like AI and ML for threat detection and providing comprehensive training for their employees, Chlela highlighted. “Many organizations are prioritizing incident response and tabletop exercises that simulate real-world attacks, enhancing their readiness.” 

Additionally, she added that partnerships with technology vendors and cybersecurity firms are being leveraged to bolster security measures and improve response capabilities. “Collaborative initiatives, such as information-sharing platforms (ISACs), help organizations stay informed about the latest threats and best practices.”

“Critical infrastructure sectors have strengthened resilience by implementing business continuity and disaster recovery (BC/DR) plans,” Huber said. “These strategies ensure operations can quickly recover from disruptions such as cyberattacks, natural disasters, or system failures.” 

He added that the CISA is also working with critical infrastructure sectors to develop sector-specific risk management plans. “It is also vital for organizations to test that recovery procedures are up to date and ready to deploy when disruptions occur. Being prepared gives stakeholders within the organization the confidence that in the event of a real cyberattack, the response will be calm and measured.”

In addition to CISA, Veeneman noted that other agencies, the DoE, DoC, DoT, TSA, and FDA, have consistently over the past two years sounded the alarm for improvements to posture and protection of sectors.

“Methods to secure systems, operations, and facilities have been IT-centric, a positive movement considering enterprise IT is typically the threat vector to process environments. Going forward, there needs to be a more consistent approach to cyber-physical security considering the disparities between OT and IT security practices.”

He added that this will come in time with proper education and understanding of control systems but lags behind as organizations are working to shore up the basics within their respective environments.

“Critical infrastructure sectors are improving resilience by adopting Cybersecurity Performance Goals (CPGs), collaborating with CISA and federal agencies for joint defense strategies, and enhancing security for OT systems,” according to Veeneman. “Sectors are also implementing Zero Trust architectures, strengthening disaster recovery plans, and securing supply chains against potential risks. These steps help ensure continued operations and reduce vulnerabilities to cyber-physical threats, though evolving challenges still pose risks.”

Evaluating geopolitical impact on infrastructure security

The experts turn their focus to examining the impact of global geopolitical tensions on the security of U.S. critical infrastructure and assess whether these tensions have contributed to strengthening its resilience.

CISA’s role as National Coordinator was recently put to the test during July’s global Crowdstrike IT outage that disrupted critical infrastructure and services across sectors, Mussington said. “As the National Coordinator, CISA worked alongside our partners to help assess impacts to their organizations and take action to get their systems back up and running. We know that this is just the latest example, and our role will be further tested as threats evolve and our adversaries grow their cyber capabilities targeting and disrupting our infrastructure.” 

“CISA and our partners are continuously dealing with a full range of cyber threats, from cyber criminals and adversarial nations like the People’s Republic of China (PRC), Russia, North Korea, and Iran. All of which pose an elevated and persistent threat to our national security,” Mussington detailed. “These nation-states engage in malicious cyber activities to pursue national interests, enable broad-scope cyber espionage, suppress certain social and political activity, steal intellectual property, generate revenue through ransomware, infiltrate critical infrastructure networks, harm regional and international adversaries, and practice malign influence operations aimed at elections activity.” 

He added that perhaps of greatest concern right now though is activity coming from the PRC, which, as assessed by CISA’s Intelligence Community, continues to present the broadest, most active, and persistent threat to the U.S. government and its critical infrastructure partners. 

“Over the past year, we’ve been raising the alarm on this threat and working to help protect infrastructure communities from dangers posed by Chinese cyber actors, known as Volt Typhoon, that have burrowed deep into our critical infrastructure, not to steal our data, but rather to launch a future cyberattack at a time of their choosing in the event of a major conflict in Asia,” Mussington added. “Unfortunately, we now live in a world where a major conflict halfway around the globe might well endanger the American people here at home through the disruption of our infrastructure – in order to sow chaos and panic across our country and deter our ability to marshal military might and citizen will.” 

He further added that “thanks to information sharing from our partners, we have been able to identify and eradicate some Chinese intrusions into critical infrastructure across multiple sectors, including aviation, energy, water, and telecommunications sectors. But we absolutely cannot be complacent — as we believe that what we’ve found to date is merely the tip of the iceberg. There is an urgent need to supercharge our collective efforts as we look to enhance our ability to protect our homeland.”

Citing a February report from the President’s Council of Advisors on Science and Technology (PCAST) that underscores the urgent need to bolster the nation’s cyber-physical systems, Gagnon noted that recently released national strategies consistently highlight that cyber-physical systems are vulnerable to threats from nation-states. 

“The number and types of incidents targeting critical services have strengthened cyber resilience,” he added. “This is due to owners/operators realizing existing security efforts are insufficient, and a determined, well-resourced, and patient adversary will likely succeed in penetrating and exploiting a critical infrastructure network. This focused cultural shift from security to resilience is also central to critical functions assurance through prevailing national strategies such as Cyber Informed Engineering, where planned resilience turns ‘what ifs’ into ‘even ifs.’”

Chlela said global geopolitical tensions have heightened awareness around cybersecurity threats, prompting many organizations to start or continue their journey towards an enhanced cybersecurity posture. “This environment has spurred investments in myriad resilience strategies across a broad array of public and private organizations. These efforts can ultimately bolster our critical infrastructure against a range of threats and foster a proactive rather than reactive approach to security and safety.”

Huber said “We have seen reports of increased Advanced Persistent Threat and ransomware attacks against critical infrastructure in the past few years. In response, CISA launched its ‘Shields Up’ campaign to help critical infrastructure owners and operators better prepare to address cyber attacks. More recently, CISA has launched its ‘Secure Our World’ initiative to drive stronger secure by design and other cybersecurity best practices.”

He added a forthcoming step will be the mandatory reporting requirements to CISA under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). CIRCIA mandates that organizations report significant cyber incidents to CISA within specified time frames, ensuring swift government response and coordination. This timely reporting will create a shared defense, enabling CISA to aggregate threat data, issue alerts, and develop broader defensive strategies that protect the entire sector.

“The collaboration between the government and private organizations helps U.S. critical infrastructure stay ahead of evolving threats and recover more quickly from disruptions by sharing threat intelligence across sectors and adopting incident response strategies informed by global cyber activity,” according to Huber. “Here’s an example of CISA providing information on protecting against threat actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC) targeting accounts associated with national political organizations.”

Veeneman observed that the U.S. has consistently witnessed retaliation attacks against critical infrastructure in recent years, much of this fueled by areas of conflict around the world such as Ukraine and Israel. “This accentuates the need for a concerted effort to secure critical infrastructure. Unfortunately,  remediation activities often lack understanding of OT risk reduction.” 

“In many cases marketing, fear, uncertainty, and doubt lead decision makers to investments in IT solutions that deviate from basic best practices,” according to Veeneman. “Getting ‘Back to Basics,’ critical infrastructure resilience can be increased more effectively through OT asset management, sound processes, physical and logical access control, and prohibiting any external connectivity leading to Internet accessibility…many of these practices require lower or moderate resource allocations versus significant financial investment.”

Setting goals, tracking progress, ensuring equity

The experts outline the long-term objectives for Critical Infrastructure Security and Resilience Month and highlight established methods for tracking progress. They also explore ways to ensure equity and accessibility.

Mussington identified that the goals for CISR Month encourage stakeholders to maintain awareness of the threat landscape while they evaluate ambient and emerging risks to critical infrastructure and then build these findings into their security and resilience planning.

He also urged organizations and stakeholders to leverage CISA programs, services, and tools to aid their implementation of strategic risk management plans with clear, measurable milestones to reduce vulnerabilities and mitigate risks effectively; and enable partnerships between CISA and the public, private, and nonprofit sectors, as well as the international community to work toward a more secure and resilient cyber-physical ecosystem.

“With the first update to national critical infrastructure policy in over a decade, NSM-22 improves the framework to gauge progress across all sectors,” Gagnon said. “While the ultimate impact of the policy is yet to be determined, the central components of a refined risk-based approach, minimum requirements, and accountability designed to bolster security and resilience across communities regardless of economic standing or capacity are a step in the right direction.”

Chlela said that the initiative aims to increase awareness of vulnerabilities within critical infrastructure and promote collaboration across sectors. “Key goals include raising participation in training programs and increasing the adoption of best practices. Progress will be measured through quantifiable metrics such as the number of organizations completing assessments and the reduction in reported incidents.” 

To ensure equity, Chlela added that it’s essential to involve diverse stakeholders, particularly small and mid-sized enterprises, by offering tailored resources aimed at addressing specific challenges faced by these organizations.

Huber said that the long-term goals for Critical Infrastructure Security and Resilience Month focus on the fact that it’s everyone’s responsibility (public and private sectors, citizens) to strengthen critical infrastructure and protect the vital services it provides. “Since attacks are inevitable, the key focus is on resilience—whether an organization can recover quickly and minimize damage.”

He added that progress will be tracked through the adoption of cybersecurity frameworks and improvements in response times. To ensure equity and accessibility, free tools and outreach programs must support smaller organizations, helping them enhance resilience despite limited resources or expertise.

“The long-term goals for Critical Infrastructure Security and Resilience Month focus on improving cyber resilience, enhancing public-private partnerships, and advancing the adoption of cybersecurity performance goals,” Veeneman said. “Progress will need to be tracked via performance metrics and collaborative initiatives led by CISA, tracking mechanisms will need to be improved over time, potentially with policy and/or penalty to incentivize adoption and implementation.”

He concluded that activities and initiatives from other agencies, in addition to CISA’s efforts, have provided a comprehensive and consistent message and directive across all sectors of critical infrastructure. “It will take the combined efforts of various federal, state and local governments, agencies, and partnerships with private industry to press resilience forward in the coming years.”