Welcome to the inaugural posting for the Critical Infrastructure blog. I hope this will help to broaden the scope of information security coverage provided by RSA® Conference 365. As part of the recognition of this increasingly important area, the RSA Conference will feature a track entitled Physical Security and Critical Infrastructure, which had previously been covered under the Physical Security track. As a way of introducing the updated track, this blog will highlight the sessions selected to be presented at the RSA Conference in San Francisco this coming March once they’re announced.
Critical Infrastructure covers a wide variety of industries and technologies from transportation to financial services.The United States Department of Homeland Security defines 18 different Critical Infrastructure and Key Resource Sectors, including national monuments and icons. Such a broad-based difference inevitably draws criticism for watering down the significance of what is truly critical. Moreover, calling a sector critical is much different than labeling a particular device or asset critical. Regardless of the industry, there are likely to be components the continued operation of which, as intended, are critical to protecting life and ensuring delivery of necessary ingredients to keep our economy running. Frequently, these devices go by the name of industrial control systems. Many of them directly control the signaling that runs and regulates our trains, the motors that manufacture our goods, and the valves and switches that deliver our water, gas, and electricity. Frequently, these systems are contrasted with conventional IT systems that may ultimately influence control systems but generally are only responsible for processing, storing, and transmitting electronic data. Industry expert Joe Weiss offered an interesting contrast noting that IT systems use physics to manipulate data while control systems use data to manipulate physics. While people may quibble about whether control systems and IT systems are that different, there is little doubt that control systems deserve special attention as they often operate in real time without opportunity to roll back an action taken and can cause significant harm to human life and property if their integrity or availability are compromised.
Within the various critical infrastructures, debates rage about what is critical. Within the electricity sector, a debate has raged over what should be considered an appropriately critical cyber-asset under the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) Reliability Standards with some arguing that critical assets should be anything, on its own or by cascading effect, which could affect the reliability of portions of the electric grid. Others argue that it is only elements that support the transmission infrastructure along with resources necessary to restart the grid after a catastrophic outage. This blog will showcase the efforts to define what is critical and how both critical and noncritical assets can best be protected. As we embark on smarter grids and smarter factories, it becomes more important that IT and control systems not only work well together, but also mutually work to ensure that cyber and physical security are addressed and remain a high priority.