America’s critical infrastructure is facing a wide range of threats due to the rapid digitalization of various sectors and the existence of analog operational environments. To better protect our connected physical and IT infrastructure, federal risk analysts should adopt a comprehensive and integrated view of the threats. This includes leveraging existing risk frameworks and models and incorporating cyber-physical safeguards to accurately capture threats and consequences of cyber-initiated events.
Developing an approach that acknowledges the differences between cyber and physical threats, while considering them alongside one another, will require a significant commitment from specialists and agencies. However, existing risk models used for counterterrorism efforts can provide a solid foundation for this task. The federal government should reframe its thinking around defining and prioritizing cyber risk, considering the effects of both cyber and non-cyber systems on communities and the economy.
A more consolidated and comprehensive risk framework is needed to incorporate cyber-initiated events with traditional risk models. This framework should accurately capture safeguards, mitigation measures, and information about both cyber and non-cyber systems and their interactions. The security community should promote transparency about incidents, mitigation actions, and other factors to inform more effective cyber recommendations and help businesses pursue secure operations.
Knowing what needs to be done is one thing, but actually implementing the necessary changes is another. Agencies responsible for operational cyber activities should assess how other policies and priorities affect their ability to provide meaningful risk reduction activities. The role and responsibilities of federal agencies with oversight and threat advisory responsibilities should be clearly defined, along with processes for collaboration with industry stakeholders.
In order to build a comprehensive OT cyber risk management program, the US government, private companies, and experts in OT and IT must commit to marrying cyber and physical homeland security programs. This ongoing commitment is essential to mitigate today’s cyber-physical security concerns.
Key points:
1. America’s critical infrastructure faces diverse threats due to digitalization and analog operational environments.
2. Federal risk analysts should adopt a comprehensive and integrated view of threats, leveraging existing frameworks and incorporating cyber-physical safeguards.
3. A redefinition of risk is necessary to accurately capture the effects of cyber and non-cyber systems on communities and the economy.
4. Transparency about incidents, mitigation actions, and other factors will inform more effective cyber recommendations and help businesses pursue secure operations.
5. Agencies responsible for operational cyber activities should assess how other policies and priorities interfere with meaningful risk reduction activities. Collaboration between federal agencies and industry stakeholders is crucial.
6. The US government, private companies, and experts in OT and IT must commit to marrying cyber and physical homeland security programs to mitigate cyber-physical security concerns.