The next time you turn on the faucet in your home, ask yourself: "How do I know this water is safe?" This may seem an odd way to begin a blog post on security, but it’s important to realize that water, electricity, food, and transportation are all part of the critical infrastructure that provides these conveniences—and in some cases, the lifeline—of our world. Technology is making these systems more efficient, lowering overall costs, and improving service, but those same improvements are also introducing new threats and risks that we often overlook.
While many infrastructure industries have operational plans in place for disaster management, business continuity, and physical security, data security frequently gets relegated to the back burner.
In some industries—such as energy production and distribution—technologies, standards, and protocols exist, but have no strong security concepts built in.. Components with fixed functions, such as pumps and switches, may contain a PC-based front-end and talk IP. Those front-ends are often based on older technologies, and their location and purpose makes it difficult to apply security best practices such as patch management. In many cases, vendors opted to not implement effective security into those components, focusing instead on functionality and performance (sound familiar?).
Other industries, such as financial services, face similar problems. Security frequently was not engineered in technology. Security is also viewed as a potential lag on business enablers, such as speed.
But it’s important to understand that critical infrastructure security is significantly different from, and potentially more important than, traditional data security. Data security is about protecting information, but an attack on critical infrastructure can result in far more than the loss of data—including incursions into the real world. Stuxnet, the first known real-world malware to infect infrastructure, was responsible for shutting down an estimated 20 percent of all Iranian centrifuges by disabling or damaging programmable logic controllers (PLCs) that were critical for their operation. It's easy to see the damage that could be wrought in other infrastructures by infecting air traffic control systems, water and sewer treatment facilities, and other assets. The potential damage goes far beyond data, including potential life-or-death scenarios. The primary problem with attacks on these industries is that they're often targetingtangible assets and operations instead of data.
So what can be done? Different agencies are responsible for defining security controls around these industries in the United States, including: the Department of Energy (for energy production and distribution), the EPA (for water), the DHS (chemicals and hazardous materials), and so on. In some cases, federal agencies give their blessing to non-government agencies to provide security standards for industries—such as the North American Electric Reliability Corporation, which establishes a set of critical infrastructure protection standards for energy generation and distribution companies—and acronymic agencies such as the SEC, FFIEC, and NUCA for the financial services sector. But the agencies don’t work together.
While security controls and standards apply to some industries more than others, the reality is these different security requirements place a heavy—but not necessarily inappropriate—compliance burden on critical infrastructure industries. But there still isn’t a good way to measure the results in order to answer the basic question: "How secure is the United States's critical infrastructure?"
Enter the federal government. There are currently no fewer than four bills circulating through various committees in the House and Senate, all aimed at shoring-up cybersecurity around the nation's infrastructure assets and providing basic measurement reporting across vertical industries. But that really only tells part of the story; since 2004, there have been 12 different bills related to this subject that have been referred to committees . . . and not a single one has passed both chambers of Congress.
The Executive branch took a stab at the problem by issuing an Executive Order in 2013, mandating the National Institute of Standards and Technology (NIST) to develop a comprehensive cybersecurity framework for these industries, while empowering DHS to promote a voluntary information-sharing program between industry participants and the federal government in order to "plug in" to the government's broad-based visibility that individual companies lack. While that was a good idea, the sticking point is the word "voluntary." As of May 2014, only 40 organizations are participating in the DHS program, and many industries—including agriculture, water, public health, transportation, and banking—are not represented. While the NIST standard is a great starting point, there is no feedback on adoption rates across applicable companies. So far, solutions driven from the federal government side are not really working: Industries are still at significant risk, and we don't yet have comprehensive visibility into the "big picture" of security threats across these sectors.
For now, it looks as though critical infrastructure industries are on their own to address security within their own verticals, perhaps with some agency guidance along the way. But the reality is that this model will not work forever. These industries are operating on borrowed time; it's not a matter of "if," but of "when" and to what degree. It's in our best interests as a nation, and that of every nation, to improve infrastructure security and minimize the risks from broad-scale attacks and other threats.