Cyber-first infrastructure should be a priority

Now that the battle has ended and the $1 trillion infrastructure bill is law, another challenge has come into stark relief—how to build this critical infrastructure securely. The only way to do this is to have a “cyber-first” mindset when developing these projects across the country.

To its credit, the legislation sets aside nearly $2 billion for actions specifically tied to cybersecurity, including a cyber grant program that will distribute $1 billion over four years to state and local governments.

But just funding the initiative isn’t enough. While some money has been earmarked for cyber, it’s imperative that cybersecurity be instantiated into all types of infrastructure. In fact, if the right steps are taken from the start, the recent infrastructure package could become a catalyst to improve the strength and security of all networks.

When it comes to infrastructure like roads and bridges, cybersecurity may not be the first thing you think about, but digital networked technology is ubiquitous, working behind the scenes. Roads and bridges have traffic and stress sensors to improve performance and safety. Public transportation, rail and airports incorporate automation and networks to keep everything running smoothly and safely. Water, power and other utilities depend on countless networked control systems. Some of these already have been exploited by threat actors, and many of the small utilities they target are systemically underprepared.

The rapid uptick of infrastructure projects alone will present an immense challenge. The convergence of operational technology (OT) and information technology (IT) in critical infrastructure has made it easier for sophisticated cybercriminals to exploit OT vulnerabilities. Threat actors are targeting and attacking previously air-gapped OT devices and systems that are now accessible thanks to IT-OT convergence. The digital nature of our upgraded infrastructure will bring both risk as well as opportunity, and we should ensure that we address both.

In fact, a Dec. 2 Government Accountability Office (GAO) report said, “If the federal government doesn’t act with greater urgency, the security of our nation’s critical infrastructure will be in jeopardy.”

The GAO found that to address critical infrastructure cybersecurity, the federal government needs to develop and execute a comprehensive national cyber strategy and strengthen the federal role in protecting the cybersecurity of critical infrastructure. The report also said that of the 900 GAO cyber recommendations agencies have failed to implement, 50 of them are related to critical infrastructure cybersecurity. Even the report’s title—”Federal Actions Urgently Needed to Better Protect the Nation’s Critical Infrastructure”—is a clarion call for a cyber-first path.

It is better to build cyber protocols in now as we plan and implement these infrastructure upgrades rather than spend twice and try to play catch up later especially if critical vulnerabilities are being exploited and time is of the essence.

The infrastructure law presents a once in a lifetime opportunity to improve the fundamental safety and security of our nation’s infrastructure. The networks that power the nation’s infrastructure simply cannot be allowed to remain vulnerable. Too much is at stake, so we have to do it right

Jim Richberg is public sector field CISO at Fortinet. He formerly served as the national intelligence manager for cyber in the Office of the Director of National Intelligence, where he set national cyber intelligence priorities.