The “hack” against an Illinois water utility in November brings to the forefront one of the biggest public and private sector concerns when it comes to critical infrastructure protection (CIP): cyber security. Whether it is defending against cyber terrorism, cyber warfare or malicious hackers, it seems clear that securing our country's critical infrastructure must be a nationwide priority. Unfortunately, this and other recent incidents raise serious questions on our state of readiness when it comes to defending against these threats.
The increasing connectedness of infrastructure not only makes us more vulnerable to cyber attacks, but increases the cascading effect an attack can have on other infrastructure sectors and capabilities. When a CIP directive was enacted nearly 15 years ago, that hacked Illinois water utility likely was not accessible via the internet. Today, much if not most of our critical infrastructure is connected either directly or indirectly via corporate networks.
Within some industries, good standards and practices exist. However, for the majority of critical infrastructure sectors, definitive and enforceable standards are absent. This leaves many private industries taking a wait-and-see approach. Why invest time and resources in cyber security when a future standard could nullify the investments made? In an ideal world, private industry would just “do the right thing.” However, implementing a comprehensive cyber security plan is complex and costly. Combine that with a constrained economy and one can understand why many are sitting on the sidelines or taking a very conservative approach.
One can only hope that whatever did happen at that Illinois utility will have a big impact on policymakers across the private and public sector. If nothing else, let's hope it's a wake up call. The infrastructure we rely on – which enables our country to operate and to defend itself – is vulnerable. The time to act is now.