FAQS

Critical infrastructure refers to the collection of facilities, services, networks, systems, and associated assets - both physical and technical – that serves as the backbone of a functioning society and are vital to national and economic security as well as public health and safety. 

Critical infrastructure protection, security, and resilience in relation to cybersecurity refers to the specific programs, protocols, controls, and technologies used to protect the critical infrastructure of nation states and enable preparation, ability to adapt to the emerging threat landscape, and withstand and recover rapidly from disruptions.

As defined by the U.S. Department of Homeland Security (DHS) through the Cybersecurity & Infrastructure Security Agency (CISA), there are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.

Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience advances a national policy to strengthen and maintain secure, functioning, and resilient critical infrastructure. This directive supersedes Homeland Security Presidential Directive 7. The sectors that make up U.S. critical infrastructure include:

Much of critical infrastructure was engineered before the widespread digitization and adopting of emerging technologies. To that end, the implementation of operational technology (OT) rapidly increased and has been architected with traditional information technology (IT), creating a converged IT/OT operating environment.

Depending on the organization and its operations, convergence can extend further into IT/OT – Iot/IIoT – ICS/SCADA –BACS/PACS, resulting in a prioritized need in consideration of (revolving dependency) cyber and physical security.

Cybersecurity and Physical security are two distinct functions of an organization’s overall security fabric. Given the rapid introduction of emerging technologies and its increased dependency for physical security, operating environments have changed in security calculus, expanding the threat landscape by creating new threat vectors as consequences cyber-physical interdependency.

Attack Scenario: An attacker exploits a vulnerability in a critical operational technology (OT) system and gains access. The network is compromised, causing operator loss, view, and control. Further, the attacker directly manipulates operational performance of high-risk systems causing dire consequences including physical damage resulting in a cyber-physical attack.

This scenario displays the dependent conditions between operational technology and physical security risks – where the compromise of one seemingly independent system negatively impacts the performance and operation of an entirely separate security function.

The National Institute of Standards and Technology (NIST) is a non-regulatory government agency that provides guidance on security, privacy, and compliance to both federal agencies and private industry.

NIST provides a structured yet adaptable approach to improving cybersecurity, making it suitable for organizations of varying sizes and sectors. Its focus is on improving cybersecurity across critical infrastructure sectors, though applicable to any organization.

NIST's CSF is a voluntary framework that provides a structured approach to managing cybersecurity risks through its core functions. NIST CSF 2.0 adds a sixth function, Govern, focused on cybersecurity governance and aligning with business objectives:

NIST CSF 2.0, released in 2024, is designed for all audiences, industry sectors and organization types, from the smallest organizations to the largest agencies and corporations — regardless of their cybersecurity maturity.

Collectively, these six core functions represent a robust cybersecurity program, guiding organizations in understanding, managing, and reducing cybersecurity risks. Each function has essential activities that are critical to an effective cybersecurity strategy.

Our gap analysis is the process of assessing an organization’s cybersecurity state measured against the desired or required standards to maintain security and compliance with legal, regulatory, and industry requirements.

Through our extensive process, we’ll define fragmentation, disparities, discrepancies, and shortcomings within your overall cybersecurity. By uncovering areas that require enhancement and or alignment, we’ll provide tailored solutions to bridge identified gaps, enhancing your overall security posture and ensuring adherence to recognized cybersecurity standards and or frameworks. Our recommendations are prioritized, and in consideration of budgetary parameters, enabling strategic decision-making and resource allocation.

Our CPSA™ framework is the structure in which OPACC practitioners execute an assessment at the nexus of cyber and physical security. This assessment is conducted boots on the ground (i.e. in-person) and is scoped to focus on converged operating environments where both physical and technical assets along with operations are at risk of cyber-attacks. OPACC’s CPSA is uniquely tailored to the organization type, its operations, assets, regulatory standards, and most importantly capability level.

Penetration testing is a controlled simulated cyber-attack against an organization’s technology architecture (i.e. systems, networks, technical countermeasures, and applications).

Penetration testing is conducted to identify vulnerabilities, risks, and potential security weaknesses.

This type of testing is performed to evaluate an organization's overall cybersecurity and prioritize areas of improvement.

OPACC’s practitioners routinely preform internal, external, social engineering tests (and more) to stress-test and evaluate an organization’s existing security posture resulting in actionable insights and recommendations.

A vulnerability scan is an automated process that scans for known vulnerabilities in your organization’s technology architecture (i.e. systems, networks, technical countermeasures, and applications). A penetration test is a manual process that simulates a cyber-attack and attempts to exploit vulnerabilities, weaknesses, and or gaps.

The development of applicable policies, procedures, and program planning is a critical function for ensuring the overall security of your organization, its operations, and assets. Comprehensive policies, procedures, and program planning strengthens the organization’s defense mechanisms, enhancing resilience against cyber threats.

OPACC’s development process is tailored to meet the unique requirements of each organization and designed to be adaptable, allowing for modifications in response to the evolving threat landscape, cyber tactics, techniques, and procedures (TTPs), industry, and technology advancements.