Resilience starting today should be driven by outside-the-box thinking and backups that are built into critical infrastructure to ensure that attacks on water, power or financial networks don’t take down the systems, said Brian Harrell, assistant director for infrastructure security at DHS’ Cybersecurity and Infrastructure Security Agency.
“Security needs to be baked in from the get-go — from the moment you decide you’re going to build this building, security should be at the table,” he said.
Harrell told an audience at Auburn University on Friday that executives need to assess their security posture and honestly answer the question, “Are you prepared to be overwhelmed?”
“Resilience is key,” he stressed, adding that “we should make the assumption that one day we’re going to be attacked,” whether by natural or manmade forces. “Are we thinking about removing those single points of failure and adding redundancy into our system?”
On domestic terror threats, recent mass shootings in Gilroy, El Paso and Dayton are grim reminders that “there are things that we can use today to make us a harder target tomorrow.” The Gilroy Garlic Festival was attacked despite screening at the gate and other security measures.
“Risk is always on the table — we will never ever be able to eliminate all risk but can reduce risk to the lowest possible levels,” Harrell said. “…There are still determined adversaries that can do considerable damage.”
The CISA official emphasized that “see something, say something” is critical to stopping domestic terror attacks before they start, along with hardening targets using measures such as access control, bag screening, and perimeter security. There also needs to “a critical conversation about that pathway to violence” and about response strategies including run-hide-fight.
Harrell also discussed the danger posed by insider threats. “Right now, we have individuals working for your companies that have the institutional knowledge as to how to bring you to your knees,” he warned. “They know what the crown jewels are; they have the keys to the kingdom.”
A background check at the point of hire is “no longer good enough,” he added, as the points of radicalization or evolution into a threat are “coming together in real time — everything is crystal-clear in the rearview mirror.”
“How do we understand the insider’s motivation and get ahead of this threat?” he asked.
Harrell stressed the importance of navigating a hybrid threat landscape, in which physical security and cybersecurity converge, and entities need to emerge from silos and work together to confront the threats.
“We really need to move toward collective defense,” he said.
Emerging threats include the vulnerability of and need to update and patch legacy industrial control systems — particularly in the water sector — as well as drones, which were emerging as a threat “five years ago.”
Companies that own and operate any Chinese-made drones that link in any way to their systems must take steps to mitigate the threat. “This is not the boogeyman — we have seen this with our own eyes,” Harrell said of the risk.
There is also the omnipresent threat of unmanned aerial systems, including off-the-shelf commercial drones, being used to deliver explosive, chemical or biological payloads. “We are living with this threat today and we need to be very cognizant,” the CISA official said.
It’s “incredibly advantageous” for industry to come to CISA to understand the extent of broad and sector threats and get guidance on mitigation strategies, Harrell emphasized.
“Critical infrastructure owners and operators are on the front lines of protecting the critical systems we hold near and dear,” he said.