States have cybersecurity programs focused on citizen data protection and often separately run programs to protect critical infrastructure. Cybersecurity specifically for critical infrastructure is a missing piece that poses an increasingly urgent risk.
Cyberattacks present unique challenges:
• Cyber threats lack distinct borders.
• The tactics and technologies are constantly evolving.
• Both public and private sector entities manage critical infrastructure at risk for cyberattack, requiring a coordinated effort and information-sharing processes that currently do not formally exist in many states.
With cyberattacks on critical infrastructure of increasing concern and rising severity, states need to view hiring and training of cybersecurity resources through a new lens. In addition to technical skills, an effective program will require leaders who can encourage strong public-private collaboration and open information exchange. In particular, private sector entities should be able to share sensitive information about potential vulnerabilities around their ability to protect critical infrastructure from cyber risks without fear of reprisal or concern that the information will be made public.
New skill combinations will also be essential. Cybersecurity specialists and teams responsible for critical infrastructure will need to consult with each other and expand their skillsets to develop a complete, accurate picture of vulnerabilities, issue severity, and possible impacts. For example, to accurately reflect risk exposure and protect the power grid from cyberattack, states will need combined expertise in cyber and the cascading impacts of destabilizing the physical power stations. It is also important to consider that preventive measures are not always foolproof. Improving awareness of how new threats present themselves and being able to detect abnormal conditions and expedite responses are essential to reducing harm to the public when attackers are successful.