This blog post is an excerpt from GovLoop's recent guide, "Your Guide to U.S. Critical Infrastructure."
In April 2015, news broke that personally identifiable information on more than 21.5 million federal employees, contractors and applicants had been compromised because of a hack of the Office of Personnel Management (OPM).
OPM estimated it will spend more than $133 million in the next three years to provide identity theft protection services to the victims. And although the OPM breach marked the single greatest loss of information by a government agency, it was just the latest and largest in a string of other government breaches.
All of these attacks have brought security to the forefront of federal officials’ attention. And while there is no quick fix, the need for an end-to-end solution is overwhelming, because as the breaches show, security is everyone’s problem — not just IT’s.
The good news for agencies is that there is help. GovLoop sat down with Marc Blackmer, Product Marketing Manager at Cisco, a leader in networking and cybersecurity, to discuss how agencies can obtain end-to-end security for control networks with an operations technology approach that helps to improve service resiliency.
Blackmer explained that when it comes to securing end points in terms of critical infrastructure, traditional cybersecurity approaches can’t always be used.“With critical infrastructure you’re talking about the power grid, nuclear power, water supplies, transportation, and more,” he explained. “So the typical security approaches can’t be applied in that space. If you get things wrong and you shut down a critical section of a manufacturing plant or anything like that, there is the possibility for real physical damage to happen to both people and the environment.”
Additionally, the federal government faces the challenge of needing to respond to security and compliance challenges as networks evolve from closed systems to Internet-enabled operational technology (OT) connectivity. Facilities continue to be networked and Internet of Things (IoT) endpoints proliferate as the technology creates new opportunities for increased efficiency and operational effectiveness. Yet extensive legacy hardware and software that are not designed to address security dominate existing systems.
A holistic approach to the cybersecurity risks facing the country’s critical infrastructure has been something that Cisco has developed over the years. They realize that protecting critical infrastructure requires a comprehensive solution—not one single product. To provide a solution that works, multiple products must operate together without introducing complexity or impacting accessibility while providing excellent levels of protection for the federal sector.
As Blackmer explained, an end-to-end security architecture that supports critical infrastructure can’t be just about cybersecurity. It must also include physical security, cybersecurity, compliance, intrusion detection and prevention, data center security, and security management. This all has to be done realizing that services must stay resilient and up-and-running.
This is where Cisco’s ability and experience comes in. Cisco has been developing innovative networking products for more than 30 years and has a large installed base in networks around the globe. As threats to networks have evolved, Cisco responded with a Secure Development Lifecycle to ensure that security is built in to the underlying architecture of solutions and embedded throughout the enterprise. Ensuring this security is a continuous process. As new products are developed and existing products are updated, security is embedded into every platform.
“We have decades of experience designing, implementing, and operating control networks and are uniquely positioned to advise our government customers on best practices, policies and hiring, as well as provide technical expertise,” Blackmer said. He also explained that integration with technical partners extends Cisco’s capabilities even further, which gives their customers more visibility and control.
At the end of the day, end-to-end security is about a holistic, comprehensive framework that allows for visibility and control.
“When it comes to the public sector and critical infrastructure, it’s a different ballgame,” Blackmer said. “So we’re very adept at making sure our solutions are effective in a manner that is appropriate for the environment we are protecting. If there’s an outbreak within a power grid, the lights still need to be kept on for the public. Cisco has that experience and knowledge to help mitigate the threat while making sure services still remain up and resilient.”