Protect Critical Infrastructure: Cybersecurity Strategies for Governments

It only takes one click, one misconfigured port, or one forgotten patch — and, suddenly, 911 dispatch is offline, water treatment operations grind to a halt, or a regional airport is paralyzed. For state and local governments, protecting critical infrastructure is no longer just an IT issue, it's a matter of public safety, economic stability, and trust.

Critical infrastructure is a prime target for nation-state threat actors, hacktivists, and cybercriminals. But what is “critical infrastructure” exactly?  

From the perspective of state and local governments, critical infrastructure encompasses the assets, systems, and networks, both physical and virtual, that are deemed essential for the functioning of a community, state, or the nation as a whole. These are the foundational elements that support daily life, the economy, public health and safety, and national security. 

From a more general perspective, critical infrastructure refers to the essential services and systems that, if rendered unavailable, would have a debilitating impact on the constituents who depend on these services. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has defined 16 critical infrastructure sectors, including emergency services, energy, financial services, wastewater systems, healthcare, information technology (IT), and others.

Now that we have a baseline of what critical infrastructure is, it is clear why threat actors are keenly interested in exploiting these systems. 

System compromises can have severe consequences, including widespread disruptions of mission critical services or applications, economic security, even loss of life. Miscreants and other mischievous criminals are motivated by financial gain, espionage, the disruption of services, and a general disruption of the daily lives of Americans.

Many of the nation’s critical infrastructure environments, including supervisory control and data acquisition (SCADA) systems, public health systems, and public-safety answering points (PSAP; that is, 911 centers) are often built on decades old technology. These systems can run unsupported operating systems and custom applications, neither of which can be easily patched or replaced. Such systems will also lack modern security controls such as encryption or strong authentication. 

In many cases, this can introduce incompatibilities with current security tools, leaving defenders unable to see evolving threats. An example might be a wastewater treatment facility with SCADA controllers that still operate on Windows XP, with no feasible upgrade path. This case is a perfect soft target for ransomware actors.

Government agencies face budget constraints and resource gaps. Cybersecurity investments often take a back seat to other urgent funding priorities like public safety, education, and infrastructure maintenance. 

Additionally, these organizations struggle to hire and retain qualified IT and security staff as private sector companies can usually offer considerably higher wages and other perks like remote work. 

Limited budgets and reliance on grant funding delay projects and introduce uncertainty. Recent efforts at the federal level to streamline the US government have had a trickle-down effect on the states, and critical funding sources may be reduced or eliminated altogether.

These organizations also often have complex operational environments, full of people who are tasked with managing a diverse and sprawling digital footprint. There may be dozens of agencies or departments, each with their own tools, policies, and infrastructure. 

Such decentralized governance can lead to inconsistent security practices, visibility gaps, and poor enforcement of baseline controls. This inability to centrally monitor and segment networks can increase the exposure to cyberattacks. 

Moreover, the operational technology (OT) used in systems like water, power grids, transportation, and emergency communication is particularly vulnerable. Operational technology systems were built for uptime and availability, not for security, which makes these devices extremely vulnerable to potential threats. In many cases, operational technology systems are directly connected to the organizations IT systems, creating vulnerabilities since any compromise of the network can result in impact to the mission-critical systems.

The best place to start is to gain an understanding of all the devices in the environment. Ideally, you’ll want a complete inventory of all assets, including IT, OT, Internet of Things (IOT); that is, anything that can communicate on the network. It’s crucial to understand how these devices communicate with one another, cloud environments, and the internet. 

If possible, try to document not only which devices are communicating, but also what processes are being used. This will enable highly secure policies to be created that only allow the necessary communications. It is not possible to protect what is unknown, so this visibility is vital for a successful protection strategy.

Once clarity is established, you can start to map out dependencies. Of all the traffic flows observed during inventory, which ones are required for your applications to function properly? Which are required for your network to operate? 

For instance, maybe you discovered that remote desktop sessions are being established from random workstations to devices in the SCADA network. This is most likely undesired behavior, so a policy that defines what devices can communicate with the SCADA devices would be in order. 

With a firm understanding of the required data flows, network segmentation can be used to create security boundaries around the critical infrastructure, allowing only the required communications to these systems. An even more effective solution: microsegmentation. 

Microsegmentation builds upon traditional network segmentation by narrowing the security perimeter to the individual workloads, enabling the administrator to tightly control all the communications in and out of each device. 

The most effective microsegmentation solutions allow policies to be created with Layer 7 context, meaning that the policy will define not only the port and protocol allowed, but also the specific processes that can be executed. This type of policy is extremely effective, as it minimizes the impact of a breach. 

If we apply Zero Trust logic and assume a compromise will occur, a Layer 7 policy will prohibit an attacker from moving laterally. Since the allowed processes are already defined, the attacker is unable to escalate privileges or move to other systems.

Speaking of Zero Trust, it is a very good idea to apply these principles in the protection playbook. Specifically, the principle of least privilege should be implemented across users, devices, and workloads. Enforcing strong identity and access control by using tools like multi-factor authentication (MFA) and role-based access control (RBAC) should be considered table stakes. 

Ideally, privileged access can be incorporated into your segmentation (or microsegmentation) policies. A highly effective policy would look like this: A sensitive critical infrastructure workload can only be accessed from a certain jump box, using a specific tool. 

Furthermore, access will only be granted to a member of a specific active directory group — and when that authorized user attempts to access the workload, an MFA challenge will be issued to ensure that the correct person is performing this action.

Zero Trust principles should also be included when provisioning remote access to critical infrastructure. While it may be necessary to grant access to remote field personnel and third-party vendors, it is vital to understand that traditional access methodologies like VPN and Remote Desktop Protocol (RDP) are generally not secure and should be replaced with more modern Zero Trust access solutions. 

Modern Zero Trust Network Access (ZTNA) solutions provide highly secure connections to internal resources, giving users access to just what they need, without overprovisioning access to allow connections to resources out of scope for their role. 

A common example is providing an HVAC contractor with VPN access to facilitate the remote maintenance of the HVAC system. This often gives the contractor access to anything on that network segment, which can be a lot more than just the system they maintain. 

What if the VPN lets them access the SCADA network? What happens if the contractor is compromised and an attacker gains access to the VPN and can access the SCADA system? Bad outcomes are likely.

Akamai Guardicore Segmentation is the perfect solution to protect critical infrastructure. It’s a host-based firewall solution that gives you visibility into all the network traffic in your environment, allowing you to see not only “who’s talking to whom,” but “what they’re talking about.” 

This means that we can see not only which devices are communicating with one another, but also get rich contextual Layer 7 information about the processes that are running on each system. 

Having this visibility allows you to create policies that only allow the communications necessary for your network and applications to work. Anything that is not specifically allowed is blocked — so, in the case of a breach, the attacker cannot move laterally to other systems and cannot execute processes that enable them to escalate privileges. 

This software-based approach makes segmentation projects easier and faster to complete, resulting in an enhanced security posture with a much faster ROI.

Today’s effective security posture has replaced traditional VPNs with a Zero Trust Network Access solution. These products provide a single sign-on experience for users, giving them access to only the resources they need to do their job — and nothing else. Users can’t access anything they have not been assigned to use. 

Akamai Enterprise Application Access is a great choice for this requirement. Our application-aware proxy service provides a seamless application access experience, no matter where the application origin resides or where the user is accessing the resources. 

Enterprise Application Access can also help with remote employee and contractor access. RDP and Secure Shell (SSH) sessions can be provisioned to be accessed via web browser, which is perfect for third-party vendor access.

A DNS firewall is a very effective and low-cost tool to protect users and devices on your network from threats like phishing, malware, command and control infrastructure, and DNS data exfiltration. By not resolving DNS requests for these types of domains, the solution prevents connections to these malicious entities. 

Akamai Secure Internet Access is a great choice. It’s a low-cost, easy-to-implement solution that has best-in-class threat protections, including threat intelligence to enable zero-day phishing detections.

Akamai MFA includes the familiarity and ease of use of a push notification to a smartphone, and layers on FIDO2 security to create a phish-proof push. Instead of using a hardware token for FIDO, which has additional cost, Akamai MFA uses a proprietary smartphone app (included with the service) to create a connection between the smartphone and the web browser configured to use the service. 

If the push notification is not requested by the configured browser, the push notification does not occur. This prevents an attacker from replaying MFA requests and tricking users into accepting fraudulent push notifications.

Start by assessing your most vulnerable systems. Engage your cross-functional teams — from IT to emergency management — and align around a common goal: to protect the digital infrastructure your communities rely on. Seek out partnerships, take advantage of available resources, and build a cybersecurity roadmap that’s both realistic and resilient.