Imagine a major city in the United States without power. Transportation systems would fail, and businesses would have to shut down. Large segments of the population would panic. Considering the important role these sectors have in our country\u2019s economy and way of life, the stakes are high. No one can deny the importance of critical infrastructure cybersecurity. Even more due diligence is required when building a cybersecurity program in key, critical infrastructure sectors.Many critical infrastructure companies are working hard to become resilient to cyberattacks, but unfortunately, they face an uphill battle. So how do security leaders in these sectors execute cyber due diligence? In this article, I\u2019ll be diving into a few of these sectors \u2013 energy, transportation and logistics \u2013 \u00a0and will give you recommendations based on my experience.What is critical infrastructure?The US Patriot Act defines critical infrastructure as \u201csystems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety.\u201d There are many critical infrastructure sectors, ranging from energy, to transportation, to telecom that need protection from cyberattacks since they are so important to our national security, economy and daily life.EnergyEnergy and utility organizations focus on preventing cybersecurity attacks, because without a stable energy supply, our economy cannot function. I have done a fair amount of work in this field, helping major companies in the energy sector protect their systems.This sector is a priority target for cyberterrorists. Saudi Aramco, a Saudi Arabian oil company, was hacked in 2012. Hackers replaced data on hard drives with an image of a burning US flag. Then Secretary of Defense Leon Panetta, my previous boss when he was Director of the Central Intelligence Agency, labeled the incident as a significant escalation of cyber threats, according to the Washington Post.Between 2010 and 2014, hackers infiltrated the US Energy Department's networks 150 times, according to USA Today. This statistic is terrifying and indicates the gravity of the situation when it comes to the vulnerabilities even in our government\u2019s critical infrastructure departments.Such vulnerabilities can manifest themselves with grave outcomes. In 2015 a cyberattack on Ukraine\u2019s power grid left 700,000 people without electricity for several hours, just days before Christmas, according to The Telegraph.These statistics are indicators of a much larger play for cyber attackers. Those in the energy sector should be well aware of any and all cyber best practices to implement, which I\u2019ll go over momentarily.Transportation and logisticsOur economy relies heavily on trains, planes, ships and automobiles, which are almost constantly under cyberattack. Cybercriminals are targeting all of the systems used in this industry, according to \u201cSecurity Trends in the Transportation Industry,\u201d an article published by IBM in 2016. The list of systems includes navigation, tracking, positioning and communication systems. If just one of these systems fell vulnerable, it would have a devastating effect on our ability to import and export the products and services that keep our economy alive and well.In 2014 the Chinese national train reservation system was targeted by hackers who stole customers\u2019 personal data. In 2015 the Polish national airline, LOT, had to cancel 10 flights due to a cyberattack against the airline\u2019s computer system at a local airport. Not only is there fear that hackers will find a way to control our transportation, there\u2019s also a fear our personal data will be stolen and exploited in the process.Earlier this year, A.P. Moller-Maersk, a Danish business conglomerate with activities in transport and logistics, fell under a cyberattack. Hackers managed to damage Moller-Maersk\u2019s computer system and reportedly cost the company up to $300 million. So, data breaches affect corporations, organizations and individuals.The harsh reality for critical infrastructure stakeholdersWithout a resilient cybersecurity program, cybercriminals could completely destroy the ways in which our economies and nations operate, those that the critical infrastructure sectors have worked so hard to build over many years.Over the past few years in particular, industries have turned paper processes into digital ones, and have started using advanced analytics to streamline processes and provide solutions to business problems. Unfortunately, technology evolution and digitization lead to more doors for a cyber terrorist to enter.As a security professional in critical infrastructure, where do I start?The question that organizations and companies face is not necessarily which best practices to implement, but how to implement them. Finding a framework by which to reference your program can be difficult, especially because most frameworks or standards are regulatory and designed to be industry specific.Aside from your existing frameworks \u2013 ISO, NERC, DFARS, COBIT \u2013 there is one framework that covers the depth and breadth necessary to organize and execute an effective and thorough cyber program. This framework, the NIST Cybersecurity Framework (CSF), is built upon NIST 800-53. According to a filing by the Telecommunications Industry Association, \u00a0the telecommunications sector has identified the NIST CSF as \u201ca great model for consideration of how to begin developing a flexible, voluntary, viable mechanism for cybersecurity readiness and resilience.\u201d \u00a0\u00a0From a risk-based perspective, companies protect their systems by assessing relevant threats and then develop and implement appropriate risk management practices. A broad, one-size-fits-all security plan could produce vulnerabilities by forcing companies to spend time and resources protecting data or systems that don't pose much risk to them specifically. Meeting standards that don\u2019t address a company\u2019s individual security environments is a recipe for missed steps and can cause an organization to overlook its key needs when they should be spending resources efficiently and effectively.The CSF was built as a flexible approach that evolves with and encourages tech innovation and individualized security practices. I tend to think this is a good solution and one I\u2019d recommend for all critical infrastructure sectors. NIST developed the CSF specifically to enhance the security and resilience of the nation\u2019s critical infrastructure. The CSF is considered the most robust set of cybersecurity best practices, and much broader and deeper than the less robust ISO controls, for example. The voluntary risk-based framework compiles a set of controls to help organizations manage cybersecurity risks. It creates a common language for all the stakeholders to address and manage risks.Organizations can implement the NIST CSF using this framework document directly from NIST, or by employing third-party NIST CSF management software to make the process simpler and more manageable. There\u2019s also a NIST CSF guide I wrote, and a previous article I wrote for CSO, \u201cHow to spend your cybersecurity budget increase.\u201dRegardless of the implementation method, it\u2019s important for critical infrastructure industries to assess their cybersecurity risks and to protect themselves. An optimal way to start is to adopt the NIST CSF, which will bring depth and breadth to your due diligence for your organization.