Edward Levy, Director of Critical Infrastructure at NOBLE discusses how critical infrastructure in the private sector can protect against vulnerabilities in 2025.

A pragmatic view of critical infrastructure

According to the Department of Homeland Security (DHS) 2025 Homeland Threat Assessment, the full spectrum of security threats and risks facing organizations is not improving, but actually appears to be worsening.

However, challenges remain that will influence the investments into authentic risk management practices.

Decision processes will be impacted by risk management principles weighted to likelihoods and personal experiences.

This is a key part of the notion surrounding the “risk of risk management” practices, where despite the objective nature of quantitative risk management applications, there is still quite a level of subjectivity applied.

Investment in talent, equipment, technology and training associated with security and resiliency practices will also remain a challenge in 2025.

This is due to the separation of protective programs within many organizations between the technical, virtual and the physical… which can also be further expanded to the environmental, intellectual and financial.

A good example is that despite all the attention on cybersecurity, a PwC 2025 Global Digital Trust Insights report found that only 2% of a large business population surveyed have implemented firm-wide cyber-resilience, even as cybersecurity concerns are top-of-mind and the average data breach exceeds $3 million.

From the strategic view I see four major priority groupings, interconnected areas that impact a nation’s overall security.

Homeland defense, homeland security, emergency support functions and critical infrastructure protection collectively achieve the results for national and economic security, community safety and resilience.

These may be viewed by some as connected, others independently, but from a national or strategic view, whether a government agency or a business, all can easily factor into each other and can significantly impact desired results.

Much of this is further outlined in detail in the US National Infrastructure Protection Plan, which is not likely inclusive during board room or risk committee discussions.

Important to note is that the private sector relies heavily on the public sector.

There is comfort expecting and knowing we have a strong military or rapid local responses to emergencies. But when we consider US critical infrastructure – the 16 sectors and sub-sectors – the risk management requirements must be driven internally.

Government will be there to help, guide and at times assist and train, but overall responsibility and accountability lies with private sector entities.

“Tell me something I don’t already know”

Cyber, cyber, cyber! AI, AI, AI! The threat vectors and capabilities that the critical infrastructure industry face are a continuously changing dynamic.

Threats linger, ready to pounce on vulnerabilities, hiding out in cyber-space to attack at any opportunity. This poses the ongoing questions of: what is the right amount of protection and how much will it cost?

It’s essential to revisit and improve upon three critical cybersecurity practices that also cross into the physical domain:

Zero trust (ZT): The term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets and resources.

A zero trust architecture (ZTA) uses zero trust principles to plan industrial, enterprise and critical infrastructure and workflows.

Those of us in the physical security world must apply a zero trust physical security architecture into access control, intrusion detection, video management and command & control systems.

This essential requirement must be incorporated into legacy and newly applied systems, defending against being the point of failure.

Data loss prevention: Having back-up systems and redundant data storage is old-school and remains a point of vulnerability unless expanded with end-to-end encryption.

Traditional and modern data security requires integrity in the operating system (OS) and in the communication protocol.

With zero-day hacking attacks rapidly increasing, traditional security is unable to protect an organization’s valuable data against these constant vulnerabilities.

That is why having the right technology to replace data with instantly “obsolete” random streams of values that are restored on the other side is vital.

Insider threat: This will remain a significant point of vulnerability due to the multifaceted elements of the human factor with physical and virtual access into the workplace and the ability to commit harm along a multitude of fronts.

To reduce the risk of insider threat to its greatest extent, there must be parity of policies and standards for access controls, visitor/vendor management and third-party risk management.

Keeping me awake at night

My parents and grandparents lived in the early stages of the Cold War Era, worried about a nuclear missile attack.

As a child we had fire drills in my elementary school for exiting the building and additional drills in the building heading into the fallout shelter in preparation of a nuclear strike.

Throughout the US, buildings to protect communities were everywhere.

However, today the threat of unconventional weapons – chemical, biological and radiological (CBR) – remains unthinkable to many in the private sector.

Likewise are weapons of mass destruction (WMD) like explosives, mass shootings, vehicle rammings or the use of synthetic drugs as weapons.

Although governmental agencies apply appropriate measures advising and preparing responses to CBR threats, we see little to no measures for detection and assessment to provide early warning to minimize fateful outcomes.

The notion of reciting probabilities against the CBR threat and an over reliance on a government response, will only produce devastating results over a failure to anticipate and resource.

Decision makers must consider the potential threat capabilities (not just imminent threat) of adversaries to cause catastrophic harm.

Despite the indiscriminate nature of consequential losses, we do invest in securing our nuclear stockpiles, chemical manufacturing, energy resources, etc.

The same requirements hold true for protecting people against the unthinkable in heavily populated locations like mass transit hubs, popular tourist spots and in stadiums/arenas.

A happy new year

None of us have a crystal ball to predict what 2025 and the future will look like for critical infrastructure. What we do have is experience and historical accounts of the past.

We do know our adversarial threats are persistent, continually aspiring to evolve and adapt their tactics.

We can prepare for the worst and hope for the best. On the other hand, a wise sage once told me: “hope and luck is not a protective strategy.”

This article was originally published in the December edition of Security Journal Americas. To read your FREE digital edition, click here.