Cyber attacks are hard to prevent. A cyberattack against our nation’s critical infrastructure (CI) is especially hard to thwart and could have devastating consequences to our human existence. Most everyone is aware of the catastrophic risk the electrical grid faces from a cyberattack. To put it in perspective, a complete outage of the electrical grids due to a hostile attack is estimated to have a 70-90 percent casualty rate within 12 months.1
But the electrical grid is not the only critical infrastructure that is vulnerable to cyberwarfare. According to the Department of Homeland Security, there are 16 sectors that make up our nation’s critical infrastructure. They include: chemical/energy/nuclear, commercial/government facilities, communications/information technology, critical manufacturing, defense, financial services, food/agriculture, healthcare/public health/emergency services, transportation, and water/wastewater systems/dams. To be blunt, there is a devastating cost to human life for failing to safeguard these critical systems.
In the past, our critical infrastructure was isolated and non-networked. If you wanted to turn a valve off at a water station, there was a physical valve that needed to be turned at the station. In the past few decades, technology progressed to allow that same valve to be turned on or off using a computer system that was physically available only from within the confines of that station.
More recently, these systems have migrated to a network environment, beyond the physical presence at the station. That last move - exposing the systems beyond the physical and into the cyber realm without a primary focus on security - introduced a lot of vulnerability and risk to the critical infrastructure.
Additionally, the management of a large portion of these critical systems are controlled by small municipalities and service providers that lack the funding to test the security systems that are currently in place, or to conduct important exercises like incident response testing and business continuity testing.
Knowing these limitations, the question remains, “How can the nation’s critical infrastructure be safeguarded against a cyberattack?”
Unfortunately, there is no easy answer, but there are a number of steps local municipalities and providers can take to help protect its critical systems:
1. Build with security in mind from the ground up. It is very important to build security into the critical system from the very beginning stages, and not try to interject it after the infrastructure has already been built. This approach allows for systems to be designed specifically for that organization’s security needs and eliminates extra legwork later in the process.
2. Test network systems regularly. Network systems should be tested regularly, from both a security perspective and from a recovery perspective. The testing organization should be able to determine whether the disruption is an artificial cyberattack on its system or just bad luck, as well as be able to respond to and recover from it, no matter the cause.
3. Understand the threats against it. Understanding the threats against the critical infrastructure is key to being able to protect against them. There are private companies that provide detailed threat intelligence to clients by scanning the internet and dark web for threats that relate to a specific industry, company or region. Having this kind of detailed threat intelligence service is very valuable and worth pursuing for even small municipalities and providers.
Currently, when it comes to securing the critical infrastructure, we rely on the cooperation between local municipalities and service providers, such as the water distributors and the power companies. For the most part, our critical infrastructure is a patchwork of small organizations working together, and there is no single button to push for a major security event. There are literally thousands of buttons to push, and hundreds of hands working together to secure their specific piece of the critical infrastructure.
On a national level, one thing the government can do is declassify or not “over-classify” the threat intelligence it gathers in order to effectively share that important information with the critical industries in the United States. There are programs currently in place that provide threat intelligence, but they require security clearance from the government, which is virtually unattainable by small service providers like the small-town water distributor with the shut-off valve at the station.
There is still a long road ahead to secure the critical infrastructure against a cyberattack. However, the more aware we are of the threats against us, the better able we are to work together to protect against them.
1Threat Posed By Electromagnetic Pulse (EMP) Attack” Committee on Armed Services https://fas.org/irp/congress/2008_hr/emp.pdf, pages, 9-10.
Joe Clapp is a senior consultant at SystemExperts, an IT security and compliance consulting firm.