In Our Rapidly Evolving Cyber-Physical World, Protecting Mission Critical Infrastructure is a Team Sport

Share

As the US gears up to invest in modernizing physical and cyber critical infrastructure, putting a comprehensive cyber security architecture in place is key to remaining secure and resilient, with risks reduced, consequences minimized, threats identified and stopped, and response and recovery hardened.

The goal is to strengthen the resilience of our country’s critical infrastructure by managing physical and cyber risks through the collaborative and integrated efforts of the critical infrastructure ecosystem.

Dispersive has been providing cybersecurity and high-performance networking solutions to military and government agencies for many years, and we are proud of the contributions we’ve made with our market-hardened platform and solutions to protecting enterprises and organizations where the risk of attacks can result in catastrophic consequences.

What is Critical Infrastructure? 

Critical infrastructure includes the assets, systems, facilities, networks, and other elements that society relies upon to maintain national security, economic vitality, and public health and safety, according to the Department of Homeland Security.

Critical infrastructure impacts every individual, household, business, enterprise, and organization, including the power we use, the water we drink, the transportation that moves us, the food supply chain, the Internet, and communications we rely on to maintain contact and get work done, and much more.

Physical and cyber infrastructure is typically owned and operated by the private sector in the US, though some is owned by federal, state, or local governments.

Transportation, water, energy, and communications are so critical that a disruption or loss of one of these functions will directly affect the others, driving the need for security and resilience of critical infrastructure within and across sectors.

These interdependencies between infrastructure elements and categories make collaboration and information exchange top priorities, and the data shared between participants in the rapidly growing world of connected operations and services is a major target of adversaries. We must protect what we connect, especially as more of what we build today and, in the future, will include embedded systems (to measure and predict road maintenance, for example, or to ensure public venues like airports are equipped with cameras).

One specific real-world example is February 2021 event, when an operator at a water treatment facility in Oldsmar, Florida, noticed his mouse was moving around his screen, obviously controlled by an intruder. According to police reports, the attack tracked the arrow as it clicked open one software function after another until it finally landed on the controls to the water’s levels of toxic and potentially deadly lye (sodium hydroxide).

The operators observed the hacker as he or she took control of the system, in just minutes raising the levels of sodium hydroxide by more than 100 times, to an extreme that could corrode water infrastructure and sicken residents.

While the operator was able to address this, had the water company had the proper measures in place, the adversary would not have been able to get in and start to manipulate the system.

The Definition of Infrastructure is Expanding:

In 2017, Election Infrastructure was designated as a subsector of the Government Facilities Sector due to the importance of free and fair democratic elections as a pillar of democracy. Working to reduce risk in partnership with the public and private sector entities responsible for providing this constitutional function can restore and maintain public confidence in how the US is governed.

Another expansion is the relationship between addressing climate change through sensors that enable environmental protection (reduction of CO2, prevention of water contamination, and availability of sustainable sources of energy, for example). In other words, digital infrastructure aligned with physical infrastructure makes it all the more urgent to secure data at rest and in motion, and by including security in the network fabric, we can protect what we connect.

The current categories of infrastructure according to the DHS and State Department include:

  • Chemical
  • Commercial Facilities
  • Communications
  • Critical Manufacturing
  • Dams
  • Defense Industrial Base
  • Emergency Services
  • Energy
  • Financial Services
  • Food and Agriculture
  • Government Facilities
  • Healthcare and Public Health
  • Information Technology
  • Nuclear Reactors, Materials, and Waste
  • Transportation Systems
  • Water and Wastewater Systems

The Intersection of the Built and Digital Worlds: Cyber-Physical Infrastructure Risks 

Critical infrastructure has long been subject to risks associated with physical threats and natural disasters but now is also increasingly exposed to cyber risks. These risks stem from a growing integration of information and communications technologies with critical infrastructure and adversaries focused on exploiting potential cyber vulnerabilities. As physical infrastructure becomes more reliant on complex cyber systems for operations, critical infrastructure can become more vulnerable to certain cyber threats, including transnational threats.

We saw this play out in the recent Colonial Pipeline ransom attack.

From cyber to physical security threats, we, unfortunately, live in a world where terrorist activity is increasing and becoming more sophisticated and pervasive, where attacks can be either simple and opportunistic or complex and highly organized by criminal rings.

Strengthening the security and resilience of critical infrastructure is a shared responsibility between the critical infrastructure owners and operators and the government entities and non-government organizations (including industry associations) in place to improve how we monitor, manage and govern cybersecurity systems.

What Will Continue to Drive Critical Infrastructure Security and Resilience?

Risk is the potential for an unwanted outcome resulting from an event and is based on the likelihood of threats and vulnerabilities and the associated consequences.

Risk management is the process of identifying, analyzing, and communicating risk and accepting, avoiding, transferring, or controlling it to an acceptable level at an acceptable cost.

It is incumbent upon the private and public sectors to work together constantly to assess risk and address the expanding attack surface and to create comprehensive cybersecurity environments, including stronger and more impenetrable networks.

Dispersive is proud to work with the Federal government and top agencies, as well as public sector utilities and companies, and to bring forward our platform, which is based on our session-splitting software solutions and are less expensive and more agile than traditional networking technologies.