During the pandemic, businesses and consumers saw firsthand what happens when infrastructure fails. In 2019, the global critical infrastructure protection (CIP) market size was valued at $96.30 billion. It is predicted to grow to $154.59 billion by 2027, with a CAGR of 6.2%. On top of that, each time an organization in a critical sector is the victim of any type of cybersecurity incident resulting in data loss, the event counts as a critical infrastructure data breach. Let’s take a look at the facts around data breaches in this sector and how to protect against them.
What is critical infrastructure?
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) classifies 16 infrastructure sectors as critical to the nation. Among these critical sectors are financial services, critical manufacturing, information technology, energy, transportation systems, communications, health care and public health, food and agriculture and emergency services.
CISA designates certain industries as critical because their assets, systems and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety or some combination of those factors. When cybersecurity issues occur in organizations in critical industries, there is a ripple effect with many often-unexpected consequences.
The Colonial Pipeline ransomware attack, for example, shut down an oil pipeline that stretches 5,500 miles from Texas to New York and carries up to 3 million barrels of fuel per day. The five-day shutdown reduced the amount of gas available to the East Coast by half. Therefore, many areas experienced gas shortages and high prices. In addition, Colonial Pipeline paid $4.5 million in ransom to restore its compromised systems and faces more fines for operational lapses and management failures. The attack also resulted in new directives issued by the Transportation Security Administration for U.S. pipelines to prevent similar attacks and reduce their impact.
What is a critical infrastructure data breach?
Each time an organization in a critical sector is the victim of any type of cybersecurity incident that results in data loss, the event counts as a critical infrastructure data breach. The IBM 2022 Cost of a Data Breach Report revealed the following breakdown of types of attacks on critical infrastructure industries:
- IT failure (25%)
- Human error (22%)
- Third-party business partner (17%)
- Destructive attacks (16%)
- Ransomware (12%)
- Other malicious attacks (8%).
Explore the Report
Impact of a critical infrastructure data breach
Interestingly, the average cost of a critical infrastructure data breach was more than $1 million more than other data breaches. It cost an average of $4.82 million compared to $3.83 million in industries such as pharmaceuticals, services, entertainment, consumer goods, media, hospitality, retail and research. These totals do not include the impacts data breaches and disruption of services have on consumers and other businesses. Those might include supply chain issues or greater health care costs from delays in care.
Not surprisingly, health care continued its 12-year reign as the most costly industry for a data breach. In 2021, the average cost of a health care data breach was $9.23 million. However, the new report found the average cost increased to $10.10 million in 2022, an increase of 9.4%. Other critical infrastructure industries ranked in the top four, with financial services coming in second at $5.97 million. Other high-cost critical infrastructure industries include technology ($4.97 million) and energy ($4.72 million).
Although the costs for critical infrastructure are higher, the report found that defenders find and contain breaches more quickly there than in other industries. That proves the costs would be even higher without the quick action and high priority of cybersecurity workers. The Mean Time to Identify in critical infrastructure industries was 204 days, compared to 211 days for other industries. The Mean Time to Contain for critical infrastructure industries was 69 days, compared to 71 days for other industries. Overall, the combined average for critical infrastructure industries was nine days shorter than the 282 days average for other industries.
Zero trust can reduce costs of data breaches
A surprising finding from the report: critical infrastructure organizations were much less likely to use a zero trust framework. With a zero trust approach, an organization moves away from the traditional strategy of protecting the perimeter and endpoints. Instead, the organization reduces risk by assuming that all access requests from apps, users and devices are not authorized. The user must then prove otherwise since the organization meets every request with zero trust.
The higher costs for critical infrastructure breaches likely relate to the lower adoption of the framework in these industries. The report found that one in five organizations in critical infrastructure industries are using zero trust. However, 41% of all organizations — both critical and non-critical infrastructure industries — now use a zero trust approach.
The report discovered that critical infrastructure organizations that use a zero trust approach have an average breach cost of $4.23 million. Meanwhile, critical infrastructure organizations that are not using a zero trust approach have an average cost of $5.40 million. That’s a difference of $1.17 million per breach. Critical infrastructure industry organizations can reduce the cost of a breach simply by using a zero trust approach.
Moving forward with zero trust in critical infrastructure industries
While the prospect of completely shifting your cybersecurity approach can feel overwhelming, zero trust consists of multiple types of processes and technologies. By starting small, with one type of zero trust approach such as multi-factor authentication or micro-segmentation, your organization can begin to see the benefits of the approach.
Organizations can build upon their initial framework by adding more technology and strategies as they become more experienced with zero trust. The report found that the level of maturity in zero trust makes a difference in breach costs for all organizations. That holds true both in critical infrastructure sectors and other industries. Organizations with a mature zero trust approach spent $1.51 million less than organizations just starting their journey.
Creating a fully mature zero trust framework doesn’t happen overnight. By starting your journey today, your organization can begin reducing both risks and costs of a breach.
Because you are in the critical infrastructure industry, your cybersecurity decisions don’t just affect your employees and customers. They affect people across the country, and even the world. With a zero trust approach, your organization ensures it is able to provide the services others depend on.