Protecting our critical infrastructure from both cyber and physical threats will be a key challenge for 2019 and the years following. The Department of Homeland Security (DHS) describes critical infrastructure as “the physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.”
Critical infrastructure has and is being targeted by hackers, nefarious organizations, and state actors because of its vitality to the American economy. The energy sector stands out as being particularly vulnerable. This ecosystem of insecurity includes power plants, utilities, nuclear plants, and The Grid. Protecting our National Grid is certainly an encompassing topic that keeps DHS, DoD and intelligence community planners up at night. The threats can be cybersecurity attacks, from Electronic Magnetic Pulse (EMP) generated from a geomagnetic solar flare or from a terrorist short-range missile, or from a physical assault on utilities or power plants.
According to a recent Ponemon Institute Report, three-quarters of energy companies and utilities have experienced at least one recent data breach. Overseas in Ukraine and Japan, hostile cyber attacks on power plants have been successful. We are quite vulnerable. Much of our grid still relies on antiquated technologies, and more investment in hardening defenses is needed. As technology exponentially advances with artificial intelligence, and as threat actors (including cyber mercenaries) easily gain destructive tools via the dark web, the risks grow.
A recent report by the House Energy and Commerce Committee summed up the challenges: ”Cybersecurity is a shared problem, and not just abstractly. The Internet by its technical design requires at least two devices, connected through wires or spectrum, communicating through standardized networking protocols. Consequently, even if one end of a connection is secure, the other might not be, and that puts both at risk. Multiplied by the millions upon millions of individual connections that make up the Internet, the end result is that the only feasible way to provide any appreciable level of cybersecurity is cooperation. More so than nearly any other shared resource, cybersecurity requires a ‘whole-of-society’ approach, in which individuals and organizations across both the public and private sectors play vital, integral roles.”
Risk management incorporates that “whole-of-society” approach and is a guiding path to pursue. In cooperation with the recently established DHS Critical Infrastructure Task Force, there have been legislative initiatives to promote collaborative efforts – among federal, state, and private stakeholders of the electricity sector – to assess and improve the physical security and cybersecurity of electric utilities.
There are several compelling themes I recommend to help mitigate risk. These include:
- Invest in hardening the National Grid to make it resilient to solar flares, or EMP attacks. This is an urgent imperative. Peter Pry, a member of the Congressional EMP Commission and executive director of the Task Force on National and Homeland Security, put the threats in frightening perspective: “Natural EMP from a geomagnetic super storm, like the 1859 Carrington Event or 1921 Railroad Storm, and nuclear EMP attack from terrorists or rogue states, as practiced by North Korea during the nuclear crisis of 2013, are both existential threats that could kill 9 of 10 Americans through starvation, disease and societal collapse.”
- Remain vigilant and continually analyze and game the energy cyber-threat landscape, as the methods, means and malware variants are constantly morphing. The specifics of a security approach may vary according to circumstances, but the mesh that connects the elements is situational awareness combined with systematic abilities for critical communications in cases of emergency. These guidelines are represented in the U.S. government’s National Institute of Standards and Technology (NIST) mantra for industry: “Identify, Protect, Detect, Respond, Recover.”
- Share and communicate cybersecurity information between the public and private sectors (a majority of the energy infrastructure is owned by the private sector). DHS is already expanding this program via the National Risk Management Center (NRMC) at the newly stood-up Cybersecurity and Infrastructure Security Agency (CISA). According to the CISA website: “The NRMC works in close coordination with the private sector and other key stakeholders in the critical infrastructure community to: Identify; Analyze; Prioritize; and Manage the most strategic risks to our National Critical Functions — the functions so vital that an attack or interruption to services within the government and the private sector could have devastating consequences to our national security, economic security, national public health and safety, or any combination thereof.”
- Follow and enforce industry security protocols, especially related to Supervisory Control and Data Acquisition (SCADA). The Internet was not built for security at its inception; it was built for connectivity. Following industry and government protocols derived from lessons learned is essential for protecting vital infrastructure.
- Invest in next-generation technologies. This includes physical security controls and cybersecurity technologies. Technology development continues to evolve with the introduction of new innovations to address the cybersecurity framework that includes networks, payloads, endpoints, firewalls, antivirus software, and encryption. This framework will provide for better resiliency and also forensic analysis capabilities. Some newer areas of cybersecurity spending will be in the areas of cloud, authentication, biometrics, mobility, and automation, including self-encrypting drives. And, of course, super-computing and quantum computing. Automation, including via artificial intelligence, is an emerging and future cybersecurity pathway.
Protecting critical infrastructure, and specifically the energy sector, is just one area of the many security challenges we need to address in the increasingly interconnected work in 2019. The risks associated with vulnerabilities make it an especially urgent and key priority.