Securing Critical Infrastructure Takes a Village…and Automation

Huge malware and ransomware attacks often grab the headlines, with WannaCry and NotPetya as recent high profile examples. News cycles endlessly discuss who was affected, how these attacks occur, and what can be done about it. For many organizations and individuals, the loss of a network or the compromise of data is big news and really important. 

At the same time, however, we tend to take the services provided by our critical infrastructure resources for granted. We flip a switch and the lights and air conditioning turn on. We turn the tap and fresh, clean water pours out. Goods are delivered, airplanes land on time, and the stock market hums along. But the risks and security of these critical infrastructure resources often flies under the radar.

We may sometimes hear about the targeting of an electrical grid in far off places, but the potential for high-profile cyberattacks on the 16 critical infrastructure sectors identified here in the United States, and the resulting ramifications, are not in the American public’s psyche to the degree they should be. 

Malicious cyber activity targeted at the nation’s critical infrastructure – including water systems, transportation, energy, finance, and emergency services – are particularly worrisome because the interruption of those services can have devastating effects on our economy, impact the well being of our citizens, and even cause the loss of life.

Hackers have a variety of motivations for cyberattacks – mischief, bullying, and financial gain among them. However, for our critical infrastructure sectors, attacks can also come from highly motivated cyberterrorists or hacker groups affiliated with nation states or political factions looking to further their cause or establish a military or strategic advantage.

In some cases, these attackers might want to dramatically disrupt public services; in other cases, their goals are much darker, such as wanting consumers to lose faith in the nation’s financial sector.

There have been documented attacks on critical infrastructure, such as two successful efforts to disrupt the Ukraine power grid in 2015 and 2016. But such events have always seemed safely far enough away. However, this past July, the U.S. government warned nuclear power plants about escalated attacks on their facilities. Such warning ought to make people sit up and take notice. With critical infrastructures increasingly online, interconnected to other resources, and often in the hands of private industry, it’s time that we elevate this conversation.

The challenge, however, is that in many cases attacks on the critical infrastructure are less than obvious. Many of these intrusions are “low and slow.” These subtle attacks – often resulting in incremental changes to the compromised system – worry many security experts because they’re so hard to detect incrementally. It’s relatively easy to recognize when major attacks happen, and the victims can then move to counter them. But sophisticated intrusions often subtly work together to eventually become a strategic liability to our country. Imagine a series of malicious activities that, once in place, are able to affect a region’s ability to provide a reliable water supply, safely transport oil and gas, or provide timely emergency services.

So what can be done? 

The United States’ critical infrastructure is owned and operated by thousands of entities, and the security problem is so interdependent and complex that we’re often paralyzed in determining where to start. To move forward, then, let’s recall the Chinese proverb: The journey of 1,000 miles starts with one small step.

We need to start by getting security practitioners, critical infrastructure operators, and other groups to agree that securing these sectors is a 10-year problem, not a one-year problem.

Next, protecting our critical infrastructure requires a team effort. The Government can’t solve the problem (critical infrastructures are primarily owned and operated by the private sector), and private companies can’t be expected to take on other nations’ cyber militaries. By starting to work together in small ways, broadening security expertise, and conducting joint cyber projects, industry and government can begin to develop the muscle memory necessary to tackle bigger things.

Several critical infrastructure sectors need to start by developing better ways to automatically share threat and vulnerability information within their industries – one man’s detection is another man’s prevention. While some sectors have made serious progress in this area, others have lagged behind. And as critical infrastructure resources continue to become interconnected, the “weakest link” problem becomes increasingly relevant.

Companies also need to focus more on exploring all dimensions of their risk; too often we focus only on Vulnerabilities and Threats. They need to also ask: “What are the bad consequences I’m trying to avoid?” Consequence-based engineering, the practice of engineering out all the potential bad outcomes from the beginning of the system design process, needs to become the standard for the development of all critical infrastructure architectures, whether physical or virtual.

Finally, critical infrastructure operators need to increasingly embrace security automation strategies to complement their safety-oriented operational technology strategies. The best way find the incremental intrusions and respond in a coordinated and comprehensive fashion is through automation. Human eyes often can’t see the low-and-slow attacks, and we can’t respond fast enough once a breach has been detected.

It’s well-documented that the IT industry is in the midst of a digital revolution that is impacting all segments of the economy, from how people work and interact, to how governments serve their citizens. But less appreciated is the fact that we’re also on the verge of a security revolution:

• Analysis of local/limited amounts of data – Seeing context by analysis of ‘big data’
• Point security solutions – Diverse solutions that work together as a system
• Independent infrastructures – Infrastructures that are highly co-dependent.
• Protection at the ‘border’ – Borderless networks with the ability to enforce security policy anywhere.

Security strategy is one of ubiquity, integrated to work as a contiguous system and powered by automation.

So, in a variation of the “it takes a village to raise a family” saying, developing a strategic approach to critical infrastructure security takes a critical mass of cooperating people who leverage the best of breed technologies and strategies to ensure our infrastructures not just survive, but thrive. At the same time, we need to better manage the problem of complexity so that it doesn’t overwhelm network operators. Automated security systems, managed by a strong guild of security professionals who practice working together in times of non-crisis will be able to meet the needs of the villagers they serve – at digital speeds, and without compromising security.

Watch Phil’s recent video where he discusses the strategic nature of attacks against critical infrastructure and the actions necessary to bring focus on finding effective security measures.  

This byline originally appeared in CSO.com.