In the U.S., most of the critical infrastructure, including defense, oil and gas, electric power grids, health care, utilities, communications, transportation, education, banking and finance, is owned by the private sector (about 85 percent according to DHS) and regulated by the public sector. The public and private relationship in operating and protecting critical infrastructure requires a strong working partnership.
Protecting the critical infrastructure poses a difficult challenge because democratic societies by their nature are interactive, open and accessible. Because of the growing digital connectivity (and interdependence) of both IT and industrial control systems, critical infrastructure is facing an evolving and sophisticated array of cybersecurity challenges.
A recent survey of professionals in industries using industrial control systems (ICS) and operational technology (OT) commissioned by Tenable from the Ponemon Institute found that 90 percent of respondents say their environment has been damaged by at least one cyberattack over the past two years, with 62 percent experiencing two or more attacks. The survey of security professionals also revealed that nine in 10 critical infrastructure providers have experienced cyberattacks that rendered their systems out of action in the last two years.
The global threat actors are terrorists, criminals, hackers, organized crime, malicious individuals and, in some cases, adversarial nation states. Earlier this year it was revealed by security researchers from FireEye's Mandiant Incident Response and Intelligence team Iran had engaged in a multi-year, global DNS hijacking campaign targeting telecommunications and internet infrastructure providers in the Middle East, Europe and North America.
Director of National Intelligence Dan Coats recently stated that “the threat was growing for a devastating cyber assault on critical U.S. infrastructure, saying the ’warning lights are blinking red again‘nearly two decades after the Sept. 11, 2001, attacks."
Critical infrastructure is the core of our nations’ prosperity and well-being and addressing the threats to it requires incorporating a robust calculated security strategy of public and private sector partnering. Cybersecurity relies on the same security elements for protection as physical security: layered vigilance, readiness and resilience.
For example, energy security and the power grid requires private-public cooperation and regulatory coordination among industry and Department of Homeland Security (DHS), Department of Energy (DOE) and the Department of Defense (DOD). The power grid and other industrial infrastructure have been increasingly subjected to both physical and cybersecurity attacks in recent years. According to Israel Barak, CISO at Cybereason, “most countries are still vulnerable to cyber-attacks on critical infrastructure because the systems are generally old and poorly patched. Power grids are interconnected and thus vulnerable to cascading failures.”
Protecting critical ICS, OT and IT systems from cybersecurity threats is a difficult endeavor. They all have unique operational frameworks, access points and a variety of legacy systems and emerging technologies. The explosion of connected devices comprising the Internet of Things and the Industrial Internet of Things is daunting. The trends of integration of hardware and software combined with growing networked sensors are redefining the surface attack opportunities for hackers across all digital infrastructures.
According to the DHS Alert (TA17-293A), threat actors have targeted government entities and the energy, water, aviation, nuclear and critical manufacturing sectors since at least 2017 and, in some cases, have leveraged their capabilities to compromise victims’ networks. Historically, cyber threat actors have targeted the energy sector with various results, ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict. Analysis by DHS, FBI and trusted partners has identified distinct indicators and behaviors related to this activity.
It's a global threat not just against the United States. In 2017, Hackers use Triton, a specialized malware to compromise critical safety systems at Schneider Electric. The malware is still being used to target industrial systems. Because of the sensitivity to the threats to national security and changing threat matrix of hackers augmented by newer technologies such as machine learning and artificial intelligence, the government is prioritizing the importance of the risk management approach to defend against more sophisticated malware and automated attacks targeting critical infrastructure. An effective risk management approach necessitates information sharing that helps allow the government and industry to keep abreast of the latest viruses, malware, phishing threats, ransomware, insider threats and denial of service attacks. Information sharing also establishes working protocols for lessons-learned and resilience that is critical for the success of mitigating incidents.
A cornerstone of that approach is creating Public Private Partnerships (PPP) based on risk management frameworks. A high level of public-private collaboration is needed to address growing cyber-threats. Preparation and commitment from both government and industry leadership are critical. Industry should collaborate with government to best utilize risk management models and prepare resiliency plans.
The specifics of an industry security approach may vary according to circumstances, but the mesh that connects the elements is situational awareness combined with systematic abilities for operational management and critical communications in cases of emergency.
In the federal civilian sector DHS’s new agency, Critical Infrastructure Security Agency (CISA) puts a keen focus on DHS’s integral role in cyber preparedness, response and resilience for critical infrastructure. DHS has identified 16 infrastructures deemed critical because their physical and digital assets, systems and networks are considered vital to national economic security, safety and national public health. CISA’s stated role is to coordinate “security and resilience efforts using trusted partnerships across the private and public sectors and deliver training, technical assistance and assessments to federal stakeholders as well as to infrastructure owners and operators nationwide.”
At DOD, Former Commander of the U.S. Cyber Command and former Director of the National Security Agency hailed the importance of the public-private cybersecurity partnership stating, “Collaboration is critical given growing threats to everyone from cyberspace.” DOD and the National Security Agency (NSA) are working closely with the private sector in information sharing and in developing solutions to evolving threats.
Whether the U.S. critical infrastructure protection security mission includes DHS, DOD, DOE, the intelligence community, or other government agencies, a public/private security strategy to meet growing challenges needs to be both comprehensive and adaptive. The same formula applies to other democratic nations sharing operations across industries and infrastructure.
In an ecosystem of both physical and digital connectivity, there will always be vulnerabilities, and a breach or failure could be catastrophic. Mitigating evolving threats and being resilient to breaches are paramount for critical infrastructure protection. There is little room for error and success in PPP is dependent on information sharing, planning, investment in emerging technologies and allocation of resources coordinated by both the public and private sectors in special working partnerships.
Chuck Brooks, columnist, is the Principal Market Growth Strategist for General Dynamics Mission Systems for Cybersecurity and Emerging Technologies. Chuck is also Adjunct Faculty in Georgetown University’s Graduate Applied Intelligence program. He is an Advisor and Contributor to Cognitive World. In his full time role he is the Principal Market Growth Strategist for General Dynamics Mission Systems for Cybersecurity and Emerging Technologies. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn” out of their 550 million members. He is also an advisor to LinkedIn on cybersecurity and emerging technology issues. In both 2017 and 2016, he was named “Cybersecurity Marketer of the Year by the Cybersecurity Excellence Awards. He is also a Cybersecurity Expert for “The Network” at the Washington Post, Visiting Editor at Homeland Security Today, and Executive Editor of a forthcoming Newsweek publication on cybersecurity and artificial intelligence. Chuck’s professional industry affiliations include being the Chairman of CompTIA’s New and Emerging Technology Committee, as a member of The AFCEA Cybersecurity Committee, and as member of the Electrical and Electronics Engineers IEEE Standards Association (IEEE-SA) Virtual Reality and Augmented Reality Working Group. Some of Chuck’s other activities include being a Subject Matter Expert to The Homeland Defense and Security Information Analysis Center (HDIAC), a Department of Defense (DoD) sponsored organization through the Defense Technical Information Center (DTIC), as a featured presenter at USTRANSCOM on cybersecurity threats to transportation, as a featured presenter to the FBI and the National Academy of Sciences on Life Sciences Cybersecurity.