Critical Infrastructure Security: Observations From the Front Lines

Attacks on critical infrastructure are ramping up — but organizations now have the knowledge and tools needed to defend against them.

Sean Tufts, Managing Partner for Critical Infrastructure, Optiv

April 12, 2024

4 Min Read
Tiles with keyhole icons on a blue background; red arrows indicate an attack
Source: Andrii Yalanskyi via Alamy Stock Photo


Recent headlines around Volt Typhoon, a state-sponsored Chinese threat actor targeting US critical infrastructure, have caused alarm over attacker dwell time and put critical infrastructure security in the spotlight. The group targets network infrastructure devices to gain access to critical infrastructure organizations and then uses living-off-the-land techniques to lurk on victims' environments to position themselves for future attacks. Volt Typhoon has been known to target the communications, energy, water, and transportation sectors.

There's no question that critical infrastructure threats such as what we're seeing from Volt Typhoon are concerning and need to be taken seriously. Attacks on critical industries have the potential to cause widescale damage and disruption and can even put people's lives at risk — compromised water sources, gas lines, utilities and healthcare devices, for example, could have a life-threatening impact. Given the high stakes, critical infrastructure organizations need to strengthen security to keep people safe and the global economy working.

However, as someone who works on the front lines of critical infrastructure security, I believe that, rather than panicking about Volt Typhoon and the threats the group represents, we should focus on several positives:

  • Malware activity targeting critical infrastructure is custom and challenging. It takes many hands to build an effective package. We know this because we are unfortunately finding complex builds. The positive here, however, is that we are now looking for malware activity.

  • Many of the 16 CISA-defined critical infrastructure industries have matured their security defenses and are in a better position to defend against advanced threats than they were a few years ago. There is a long path to "secure," but we have better prevention and detection than we did in 2020.

  • It's not uncommon for malware to sit dormant for years until the time is right to strike. Knowing this, security operations center (SOC) teams have focused on threat detection, advancing their method for absorbing critical infrastructure, industry control system (ICS), and operational technology (OT) alerts, which has lowered malware dwell time and improved security overall.

Focus Areas for Critical Infrastructure Sectors

One of the biggest takeaways of the Volt Typhoon activity is that it's crucial for critical infrastructure organizations to conduct risk assessments frequently to see how threats against their company are changing and then use that intelligence to adapt their cybersecurity and cyber resilience strategies accordingly.

If you don't know a threat is there, you can't defend against it. And not all organizations are targeted with the same threats. Additionally, your biggest threat today may not be the greatest source of risk tomorrow. For all these reasons, frequently identifying and quantifying the unique risks to your organization is the first step to staying secure and cyber resilient.

Once the risk assessment is complete, you can then develop or refine your security plan accordingly. Because threats and business needs change all the time, this should be a living strategy. That said, there are a few security fundamentals that should always be prioritized, including:

  • Network segmentation: Divides the network into separate zones for different types of users and services. This approach helps contain attacks and limits the lateral movement of threats within the network.

  • Intrusion detection systems (IDS): Monitors network traffic for suspicious activity. This is important because traditional endpoint security tools aren't able to be installed on all network infrastructure devices.

  • Identity security: The optimal combination is secure remote access with privileged access management (PAM). The former allows users to safely connect to networks and prevents unauthorized access. The latter secures privileged user accounts that have high-level access to individual controllers in a critical site, so cyber attackers can't exploit them to move across the victim's environment.

From Past to Present

Five years ago, critical infrastructure security had very limited awareness, and headlines on activity from threat actors like Volt Typhoon would be alarming. We've come a long way since then, though — not only in recognizing risks to these sectors but also establishing cybersecurity benchmarks for keeping critical infrastructure organizations secure.

So, while it's true that attacks on critical infrastructure are ramping up, it's also true that organizations now have the knowledge and tools needed to defend against them. Organizations no longer need to be caught off guard. With risk assessments, security fundamentals, and advanced security strategies that target unique threats to the business, critical infrastructure organizations can build strong security programs that are able to withstand any type of attack and keep the organization cyber resilient.

About the Author(s)

Sean Tufts

Managing Partner for Critical Infrastructure, Optiv

Sean Tufts is a former NFL linebacker turned cybersecurity leader with more than 10 years of cyber experience and 15 years of ICS experience. As the managing partner for critical infrastructure at Optiv, he heads a business unit responsible for identifying, modernizing and securing critical infrastructure clients' most vital business functions and operational assets. Optiv's IoT/OT team delivers strategic end-to-end security expertise, underscored by Sean’s hands-on knowledge of cybersecurity best practices for industrial and critical settings, including energy, oil and gas, and healthcare. Prior to Optiv, Sean had a hand in developing more than 3,500 MW of wind energy farms for a private EPC. His operations experience allowed for a smooth transition over to General Electric in 2015, where he joined the recently acquired Wurldtech Cybersecurity team. In this role, Sean embedded cybersecurity programs into the rotating machinery controls for GE Power, GE O&G (BakerHughes) and GE Renewables.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights