Helio SantAna shares insights learned from leading Brazil’s critical infrastructure protection. “Cybersecurity was not a requirement when they were designing previous systems that run critical infrastructures.”
For nearly three years, Helio SantAna has served as the general coordinator for modernization and innovation for the Brazilian government. During that time he’s lead Brazil’s critical infrastructure protection efforts. As part of the Cyber Security for Critical Assets World Conference in June, SantAna discussed policy efforts for safeguarding critical infrastructure. He provided a roadmap countries can follow based on his own experience protecting Brazil’s critical infrastructure.
“Critical infrastructure includes any service that if negatively impacted or eliminated would affect a country’s economic and national security,” SantAna said. “Those CIs are composed of assets that provide technical services. Those assets can be virtual or physical so you have to predict how to protect both kinds.”
According to SantAna the first step of safeguarding critical infrastructure is to define what kinds of services in your country fall under this category. In many countries CI includes oil, gas, water, energy, transportation, food, financial, biosecurity and nuclear infrastructure.
“Many countries have different approaches when delivering those services,” SantAna said. “Some have approaches more oriented to the private sector, but some countries have a mixed model with services provided by private companies and state-owned companies.”
Next SantAna suggests countries establish a nationwide plan for cybersecurity protection. This should include laws, regulations and policies related to protecting critical infrastructure. It also includes establishing a budget specifically for critical infrastructure protection to ensure cybersecurity programs and enforcement are properly funded.
“The main regulation should be a cybersecurity law that will cover all aspects related to cybersecurity in your country that will be a top level regulation that delineates how cybersecurity is treated in your country,” SantAna said. “A national strategy is also a very good instrument because it establishes the guidelines for your cybersecurity efforts and the goals of your government related to cybersecurity. This strategy should have plans that will define the path to accomplish the goals of the cybersecurity strategy and what each sector should do to comply with those requirements.
“Another aspect that is very important is that you must have a nationwide policy that states the requirements for information security and operational security. Well known frameworks may help you create those policies and help your country protect your CIs.”
In April 2018, the National Institute of Standards and Technology published a framework for improving critical infrastructure cybersecurity. Similarly, Oxford University has created a model to enable nations to self-assess, benchmark, better plan investments and national cybersecurity strategies, and set priorities for capacity development. Both of these resources can help countries create their own policies.
Understanding critical infrastructure protection requires a unique cybersecurity approach, SantAna said, because industrial control systems combine both information technology and operational technology. While IT security is focused on priorities such as protecting the confidentiality of data, OT security is focused on other priorities.
“When it comes to critical infrastructures, the ICS security focus is more on safety, availability, integrity, and confidentiality,” SantAna said. “The main objective was not to create a very secure, but a very predictive environment. Cybersecurity was not a requirement when they were designing previous systems that run critical infrastructures. IT measures are not exactly adequate to protect ICS so you have to create your own set of rules in order to maintain safety but also security.”
Each nation’s approach to critical infrastructure protection will depend on the nation’s approach to delivering critical services. In some countries governments control service delivery while in others, governments partner with private companies.
“Different approaches require different sets of regulations, but the government must always be a partner when it comes to defining those requirements for security in IT and OT,” SantAna said. “When it comes to open market government, delivery of services is performed by a private company. They have their own infrastructure and you must know what kind of infrastructure they have in order to create requirements. The government should actively collaborate with public agents at the state and municipality levels and the private sector, in order to monitor all critical infrastructures, share information regarding problems, known issues, and information related to attacks.”
SantAna said regardless of a country’s critical services delivery structure, the government must play a primary role in protecting critical infrastructure. This should include helping operators reestablish services when they are attacked, working with operators to reduce risk, and raising awareness of cybersecurity threats.
“The way to do that is by creating a centralized agency for cybersecurity that will have a branch dedicated to dealing with critical infrastructure issues and create a specific [certification] for critical infrastructures,” SantAna says. “A great way to deliver this kind of partnership is performing exercises. It helps to conduct scenarios for cyber attacks and recovery formats in order to reestablish operation of your service provider.”
Information sharing among critical infrastructure operators should be an integral component of a nation’s cybersecurity approach. However this information shouldn’t only be occurring internally; it should include other countries as well.
“Creating an information sharing infrastructure is important in order to reduce your efforts, in order to construct a solution for securing your environment, and also for identifying threats that could create problems to your environment,” SantAna said. “Your problem could be the problem of other operators or other countries so creating an alliance for sharing information is another good action to do. It creates a circle of trust among multiple agencies, or actors, or services providers that will help out when it comes to finding solutions for designing polices and creating technical instruments to secure your infrastructure.”
Attacks on Bazil’s critical infrastructure have increased dramatically in recent years. In 2019, there were 19,150 notifications of incidents in government networks, according to data released by the Brazilian Government Response Team for Computer Security Incidents.
SantAna said cyber vulnerabilities and attack surfaces are only likely to continue increasing, which requires countries to continuously update policies and develop new ones. In order to combat the growing threat, he said countries must also invest in their cybersecurity workforce to ensure they stay ahead.
“Another key aspect when it comes to protecting your infrastructure are people,” SantAna said. “Policies and frameworks are designed and implemented by people.”