There’s an idiom that sums up the idea that there are many different ways to reach a goal:
“All roads lead to Rome.” However, there is another, lesser-known understanding of that empire’s famous road system: it served as an extraordinarily effective pathway for invaders, turning the Roman road infrastructure into a strategic weakness. Let’s explore that idea as it relates to critical infrastructure security.
An infrastructure is considered critical if its disruption would have a debilitating effect on economic stability, national security, public health, and safety. Here in the U.S., 16 infrastructure sectors are considered critical. They include such diverse sectors as financial services, energy, water, transportation, communications, chemical industries and emergency services. The loss of such resources can have regional or even global implications.
Rather than merely protecting each infrastructure resource, we not only need to be concerned about the overall posture of each sector but the dependencies between them as well, because these infrastructures are increasingly interconnected with each other, as well as with the public and private networks that surround them. And to complicate matters further, most critical infrastructures, at least in the United States, are owned and maintained by a large number of private companies, primarily accountable to their shareholders and regulatory pressures. Which means that the here and now often dominates behaviors.In other words, our digital nation’s Achilles heel is its critical infrastructures.
Protecting critical resources is a challenge, to be sure, but the first step of the process is clear. It starts with forming a coalition with participants who fall into one or more of the following categories:
People in positions of authority: These can be owners of critical infrastructures or even government leaders who have a role in critical infrastructure. They need to be individuals with the authority to authorize the implementation of solutions and to clear any barriers to make that happen. They will help create and nurture both leap-ahead progress and steady,incremental progress over time.
People with know-how: This can include anything from operational expertise, deep technical knowledge, or access to sophisticated equipment and techniques to validate any proposed solutions.
People with financial resources: This can include individuals, companies, government agencies, or consortia that have the money necessary to support things like meeting and planning logistics, the funding of trial programs, or to create enduring connections between parties where individual budgets may not reach.
Thought leaders: A group of leaders, at both the regional and national level, who understand the scope and scale of the issues at hand (e.g., threats, complexities), as well as the strategic approaches that will be most effective at addressing them. This will need to be an action-oriented network of like-minded thought leaders and stakeholders who share a common vision of a more secure and resilient U.S. posture. They would need to agree to work together toward big goals over a 7- to 10-year horizon, to scope out the challenges, identify a strategy and nurture the initial implementation of the solution.
Symbolic organizations: Groups that are often looked to for taking the lead and are closely watched by others who tend to follow that lead. These can include national labs, university-affiliated institutions, and other public and private organizations that have developed a reputation for trustworthiness and critical thinking.
Once this coalition is formed, the next step is to create a light-touch orchestration board to establish some enduring procedures in cases where such things are helpful. This board will need to take on the issue of automated information sharing within and among critical infrastructures. The goal is to enable the sharing of threat intelligence and best practices, and otherwise get people to start working together to create relationships.
At the same time, the coalition needs to begin to pilot the most promising strategies and capabilities, such as consequence-based engineering, or “protection by design,” and then “test” those capabilities to create the most meaningful increases in security and to enrich partnerships. It also need to promote research and innovation on the right challenges, experiment and push the envelope, and fail fast, but on the most important priorities. This approach helps build institutional muscle memory so that responses to actual attacks are quick and effective.
In addition, the cybersecurity industry must reconsider its job roles and structures. This will involve creating an environment in which professionals in IT, OT, and physical security regularly collaborate and rotate job assignments in recognition that the design of critical infrastructure solutions cannot separate these professions.
Ambitions to take on this problem have been paralyzed by the scope and scale of the critical infrastructure security challenge – until now. The reasons are twofold: First, it’s difficult to decide where to start or to even know what “finished” looks like. Second, no one person or organization owns the problem – critical infrastructures are primarily owned and operated by diverse public and private sector organizations. However, as networks and cyber systems begin to interconnect and to cross traditional boundaries, there is a growing urgency to figure out how to protect critical infrastructures and resources.
Of course, initiatives like this don’t happen overnight. But the complexity and scope of the problem must not prevent us from moving forward. Critical infrastructure must be protected to ensure ongoing economic competitiveness as well as the larger goals of public safety and national security. Failure to act leaves many roads open to cybercriminals that lead right to the heart of our nation’s foundational structure. It is critically important that we move forward now to break this historical impasse and protect our common ideals of ensuring and maintaining our economic competitiveness, maintaining national security, preserving privacy and civil liberties, and guaranteeing public safety.
The original article was published in CSO and can be found here.