As public sector cybersecurity specialists, we see firsthand that state leaders are considered to be guardians of public safety. They are expected to identify, protect, detect, respond, and help their agencies recover swiftly and effectively from any disruption to critical infrastructure to reduce damage and restore operations and services. In working with our clients, we know that most critical infrastructure protection programs only address physical threats, leaving many states vulnerable to cyber threats ranging from service disruption to public safety concerns. It is crucial that states expand their risk mindset to include cyber risks and lead a statewide, public-private collaboration focused on sharing information, raising awareness of roles that all groups involved should play, and establishing a unified response to cyberattacks on critical infrastructure.
So what does an effective program require? A leading practice is to develop a team that has the skill sets to establish:
- Strong relationships with private sector and federal partners
- Well-defined roles and responsibilities and consistent and informed communications
- Mechanisms to present and receive feedback, raise awareness, support information exchange, and promote action
- Cybersecurity risk analysis and prioritization in the event of a disruption of service or physical harm to citizens
- An operational plan to share and maintain cybersecurity information
- Training and coordination for multi-disciplined response teams – search and rescue, emergency medical support, IT cybersecurity specialists, as well as leaders in the public and private sectors
- Initial and ongoing requirements for equipment and software
With that said, it’s important to recognize that building a cybersecurity critical infrastructure program takes time, careful planning, and ongoing support from the state’s Governor, state and federal agencies, and public and private entities overseeing critical infrastructure.
More insights can be found by reading Cybersecurity for critical infrastructure protection.