Public Private Partnerships And The Cybersecurity Challenge Of Protecting Critical Infrastructure
Source: COGNITIVE WORLD on FORBES
In the U.S., most of the critical infrastructure, including defense, oil and gas, electric power grids, health care, utilities, communications, transportation, education, banking and finance, is owned by the private sector (about 85 percent according to DHS) and regulated by the public sector. The public and private relationship in operating and protecting critical infrastructure requires a strong working partnership.
Protecting the critical infrastructure poses a difficult challenge because democratic societies by their nature are interactive, open and accessible. Because of the growing digital connectivity (and interdependence) of both IT and industrial control systems, critical infrastructure is facing an evolving and sophisticated array of cybersecurity challenges.
A recent survey of professionals in industries using industrial control systems (ICS) and operational technology (OT) commissioned by Tenable from the Ponemon Institute found that 90 percent of respondents say their environment has been damaged by at least one cyberattack over the past two years, with 62 percent experiencing two or more attacks. The survey of security professionals also revealed that nine in 10 critical infrastructure providers have experienced cyberattacks that rendered their systems out of action in the last two years.
The global threat actors are terrorists, criminals, hackers, organized crime, malicious individuals, and, in some cases, adversarial nation states. Earlier this year it was revealed by security researchers from FireEye's Mandiant Incident Response and Intelligence team that Iran had engaged in a multi-year, global DNS hijacking campaign targeting telecommunications and internet infrastructure providers in the Middle East, Europe, and North America.
Director of National Intelligence Dan Coats recently stated that “the threat was growing for a devastating cyber assault on critical U.S. infrastructure, saying the ’warning lights are blinking red again‘ nearly two decades after the Sept. 11, 2001, attacks”.
Critical infrastructure is the core of our nations’ prosperity and well-being and addressing the threats to it requires incorporating a robust calculated security strategy of public and private sector partnering. Cybersecurity relies on the same security elements for protection as physical security: layered vigilance, readiness and resilience.
For example, energy security and the power grid requires private public cooperation and regulatory coordination among industry and Department of Homeland Security (DHS), Department of Energy (DOE), and the Department of Defense (DOD). The power grid and other industrial infrastructure have been increasingly subjected to both physical and cybersecurity attacks in recent years. According to Israel Barak, CISO at Cybereason, "most countries are still vulnerable to cyber-attacks on critical infrastructure because the systems are generally old and poorly patched. Power grids are interconnected and thus vulnerable to cascading failures.”
Protecting critical ICS, OT, and IT systems from cybersecurity threats is a difficult endeavor. They all have unique operational frameworks, access points, and a variety of legacy systems and emerging technologies. The explosion of connected devices comprising the Internet of Things and the Industrial Internet of Things is daunting. The trends of integration of hardware and software combined with growing networked sensors are redefining the surface attack opportunities for hackers across all digital infrastructures.
According to the DHS Alert (TA17-293A) threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors since at least 2017 and, in some cases, have leveraged their capabilities to compromise victims’ networks. Historically, cyber threat actors have targeted the energy sector with various results, ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict. Analysis by DHS, FBI, and trusted partners has identified distinct indicators and behaviors related to this activity.
It's a global threat not just against the United States. In 2017, Hackers use Triton, a specialized malware to compromise critical safety systems at Schneider Electric. The malware is still being used to target industrial systems. Because of the sensitivity to the threats to national security and changing threat matrix of hackers augmented by newer technologies such as machine learning and artificial intelligence, the government is prioritizing the importance of the risk management approach to defend against more sophisticated malware and automated attacks targeting critical infrastructure. An effective risk management approach necessitates information sharing that helps allow government and industry to keep abreast of the latest viruses, malware, phishing threats, ransomware, insider threats, and denial of service attacks. Information sharing also establishes working protocols for lessons-learned and resilience that is critical for the success of mitigating incidents.
A cornerstone of that approach is creating Public Private Partnerships (PPP) based upon risk management frameworks. A high level of public-private collaboration is needed to address growing cyber-threats. Preparation and commitment from both government and industry leadership is critical. Industry should collaborate with government to best utilize risk management models and prepare resiliency plans.
The specifics of an industry security approach may vary according to circumstances, but the mesh that connects the elements is situational awareness combined with systematic abilities for operational management and critical communications in cases of emergency.
In the federal civilian sector DHS’s new agency, Critical Infrastructure Security Agency (CISA) puts a keen focus on DHS’s integral role in cyber preparedness, response and resilience for critical infrastructure. DHS has identified 16 infrastructures deemed critical because their physical and digital assets, systems, and networks are considered vital to national economic security, safety and national public health. CISA’s stated role is to coordinate “security and resilience efforts using trusted partnerships across the private and public sectors, and deliver training, technical assistance, and assessments to federal stakeholders as well as to infrastructure owners and operators nationwide.”
At DOD, Former Commander of the U.S. Cyber Command and former Director of the National Security Agency hailed the importance of the public-private cybersecurity partnership stating that “collaboration is critical given growing threats to everyone from cyberspace.” DOD and the National Security Agency (NSA) are working closely with the private sector in information sharing and in developing solutions to evolving threats.
Whether the U.S. critical infrastructure protection security mission includes DHS, DOD, DOE, the intelligence community, or other government agencies, a public/private security strategy to meet growing challenges needs to be both comprehensive and adaptive. The same formula applies to other democratic nations sharing operations across industries and infrastructure.
In an ecosystem of both physical and digital connectivity, there will always be vulnerabilities, and a breach or failure could be catastrophic. Mitigating evolving threats and being resilient to breaches are paramount for critical infrastructure protection. There is little room for error and success in PPP is dependent on information sharing, planning, investment in emerging technologies, and allocation of resources coordinated by both the public and private sectors in special working partnerships.
Chuck Brooks is a globally recognized thought leader and evangelist for Cybersecurity and Emerging Technologies. He is also Adjunct Faculty at Georgetown University’s Applied Intelligence Program and graduate Cybersecurity Programs where he teaches courses on risk management, homeland security, emerging tech, and cybersecurity. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn” out of their 550 million members.
Chuck was named by Thompson Reuters as a “Top 50 Global Influencer in Risk, Compliance,” and by IFSEC as the “#2 Global Cybersecurity Influencer” in 2018. In both 2017 and 2016, he was named “Cybersecurity Marketer of the Year by the Cybersecurity Excellence Awards. He is also a Cybersecurity Expert for “The Network” at the Washington Post, Visiting Editor at Homeland Security Today, and a Contributor to FORBES.
Chuck is on the MIT Technology Review Advisory Global Panel, a member of The AFCEA Cybersecurity Committee, and as member of the Electrical and Electronics Engineers IEEE Standards Association (IEEE-SA) Virtual Reality and Augmented Reality Working Group. Chuck was also appointed as a Technology Partner Advisor to the Bill and Melinda Gates Foundation. He’s served as the Chairman of CompTIA’s New and Emerging Technology Committee, and as the lead Judge for the 2014,15,16, and 17 Government Security News Homeland Security News Awards evaluating top security technologies. In government, Chuck has received two senior Presidential appointments. Under President George W. Bush Chuck was appointed to The Department of Homeland Security (DHS) as the first Legislative Director of The Science & Technology Directorate at the Department of Homeland Security. He also was appointed as Special Assistant to the Director of Voice of America under President Reagan. He served as a top Advisor to the late Senator Arlen Specter on Capitol Hill covering security and technology issues on Capitol Hill.
In media, Chuck is the featured Homeland Security contributor for Federal Times, featured cybersecurity contributor for High Performance Counsel on cybersecurity, and an advisor and contributor to Cognitive World, a leading publication on artificial intelligence. He has also appeared in Forbes and Huffington Post and has published more than 150 articles and blogs on cybersecurity, homeland security and technology issues. He has 45,000 followers on LinkedIn and runs a dozen LI groups, including the two largest in homeland security. In academia, Chuck is Adjunct Faculty at Georgetown University teaching a course in homeland security risk management.