Critical Infrastructure Security Takes Center Stage at ISC East

Airports, seaports, roads and bridges, the electric grid, dams, military bases, water treatment plants, chemical factories, data centers and other kinds of physical locations make up the essential, interdependent networks and systems that support all life and trade around the world. We don’t think about them often—even while we’re using them—until something goes wrong. They make up our critical infrastructure and securing the locations, facilities and people who work in them, is among the most important responsibilities of security professionals.

At ISC East, kicking off on Nov. 20 at the Javits Center on Manhattan’s West Side, critical infrastructure security, and the companies that provide the products and expertise to ensure it, will take center stage—literally. In addition to a dedicated area for products, technology and companies involved in securing critical infrastructure, two special hour-long sessions on The Bridge Stage, at the heart of the expo floor, will expose ISC East attendees to a range of emerging solutions.

Hosted by Lee Odess, a highly sought-after consultant and speaker in the security world, each session—both titled Critical Infrastructure: Reframing Problems, Revolutionizing Solutions—is a 60-minute whiparound featuring seven companies at the forefront of critical infrastructure technology and solutions. Each company will deliver a 10-minute presentation, focusing on the critical infrastructure challenge they've identified and their approach to solving it.

Odess sat down recently with ISC News Editor-in-Chief D.J. Murphy for a one-on-one discussion about some of the important considerations for those responsible for protecting critical infrastructure.

ISC News: What are critical infrastructure security pros not thinking enough about right now?

Lee Odess: One of the most critical issues inadequately addressed by professionals securing critical infrastructure is the cybersecurity risks associated with operational technology (OT), like physical access control, and industrial control systems (ICS), such as a SCADA system. These systems, crucial for sectors like energy, water, transportation, and manufacturing, were historically isolated from IT networks and the internet. However, the adoption of IoT devices and the push for greater connectivity have led to increased integration with IT systems, creating new vulnerabilities.

Many organizations struggle with proper network segmentation, updating legacy components, developing comprehensive incident response plans, training personnel, and implementing effective monitoring across both IT and OT networks. The potential consequences of a successful attack could be severe, including physical damage, environmental harm, or loss of life. Despite growing awareness and efforts to address these challenges, the complexity of securing OT/ICS environments, coupled with rapid technological change, means many professionals still grapple with fully addressing this critical cybersecurity area.

ISC News: Is there an infrastructure category right now that is especially vulnerable?

Lee Odess: Research indicates that the water and wastewater treatment sector is particularly vulnerable within critical infrastructure. This vulnerability stems from several factors: aging infrastructure, chronic underinvestment, cybersecurity gaps, and the sector's highly distributed nature. Many water treatment facilities and distribution systems in developed countries are reaching or exceeding their intended lifespans, making them prone to failures and lacking modern security features.

Resource constraints, especially in smaller utilities, hinder the implementation of thorough cybersecurity and physical security measures. While the adoption of Industrial Internet of Things (IIoT) devices improves efficiency, it also expands the potential attack surface. Climate change impacts and chemical supply chain issues add further stress to this critical infrastructure.

The vulnerability of water infrastructure is particularly concerning due to its direct impact on public health and its criticality for other sectors. Significant disruptions could have cascading effects on healthcare, agriculture, and various industries.

ISC News: What is the main outside threat to critical infrastructure facilities right now?

Lee Odess: The primary external threat to critical infrastructure facilities is increasingly sophisticated cyberattacks, particularly from nation-state actors and advanced persistent threat (APT) groups. This threat is amplified by heightened geopolitical tensions, continually evolving attack techniques (including AI-enhanced malware and supply chain attacks), and an expanded attack surface due to growing OT-IT interconnectivity. Targeted, destructive ransomware attacks, insider threats, resource imbalances between attackers and defenders, and the interdependent nature of critical infrastructure systems further contribute to the severity of this threat.

The combination of technical attacks with information warfare tactics complicates defense efforts. These cyber threats are particularly alarming due to their potential for widespread disruption, physical damage, and public safety risks, making them a top priority for security professionals and policymakers.