The critical infrastructure Americans rely on every day for power, transportation, water, connectivity and more has reached a perfect storm of vulnerability.
Threats are escalating in scope and sophistication as we saw in the recent Colonial Pipeline attack. These include disruptions of positioning, navigation and timing (PNT) systems like GPS, concern about the impact of electromagnetic pulse attacks on electrical grids and equipment, and hacks into industrial control systems of municipal water supplies, as recently seen in Oldsmar, Florida. Meanwhile, the attack surface itself has expanded exponentially with the move to classify space assets satellites, sensors and command and control systems as critical infrastructure.
However, we are seeing government agencies respond in a myriad of important and impactful ways. In the last year alone the Department of Homeland Security Science & Technology Directorate recently released PNT resources and algorithms to protect against GPS spoofing. The Department of Energy launched a 100-day plan for the DOE, electricity industry and the Cybersecurity and Infrastructure Security Agency to enhance cybersecurity for electric utility industrial control systems (ICS) and the energy sector supply chain. We’ve also seen the Space Policy Directive-5 put DHS and CISA in lead roles to enhance the nation’s cyber defenses for key systems used for global communications, navigation, weather monitoring and other critical services. These developments reinforce and augment E.O. 13865, which establishes resilience and security standards for U.S. critical infrastructure as a national priority.
While we are moving in the right direction, an overview follows of why critical infrastructure is so vulnerable today, why it’s so challenging to protect, and how federal IT leaders and infrastructure managers must use digital transformation — specifically data, analytics and smarter portfolio management — to make it more resilient and maintain this momentum.
Insight by Confluent: Learn about how agencies are benefitting from that concept of data-in-motion to improve mission outcomes in this exclusive e-book.
As government agencies connect systems and adopt new technologies, they face a security catch-22. Take smart buildings, for example. Through a connected web of digitally enabled devices, networks and applications, smart buildings serve as a link between the physical and digital worlds: They bring together key features of connectivity, automation, open architecture and interoperability to optimize the total performance of buildings, businesses and their occupants.
Yet as an organization connects its systems to IP networks, external access and the cloud, the potential exists for hackers to take down entire business operations. Manipulating heating or cooling at temperature-sensitive locations—shutting down vital temperature control or power management functions at a data center, for instance—can potentially destroy IT equipment and take business-critical applications offline.
What have such attacks looked like in action? In one example, security researchers hacked the building control system at a large internet search provider, gaining administrative access to digital building control panels. In another case, a security consultant was able to take control of every room in a Chinese hotel—a situation that malicious actors could use to their advantage for actions like manipulating control systems and stealing guest data.
It’s not just buildings that are at risk. Consider the valuable surveillance and targeting data collected by maritime vessel sensors. Attacks on networks to steal critical information are increasing in scope and sophistication. PNT solutions that support cargo ships in transit are other areas of potential attack.
It’s been five years since unknown cyber forces disrupted energy-grid operations for the first time, causing blackouts for over 225,000 customers in Ukraine. This incident impacted operators in the electricity sector, but the tactics could have easily played out in any sector—energy, transportation, communications, even space.
Electronic warfare also threatens physical infrastructure. Consider, for example, an attacker gaining unauthorized access to an internet-connected physical security system to enable kinetic attacks, or disrupting systems of cameras, digital recorders or printers, as happened with domain name system provider Dyn in Europe and North America.
Concurrently, federal agencies face many portfolio management challenges related to critical infrastructure. Fragmented ownership is one. Infrastructure for a water utility could be owned partially by the government, partially by a private-sector partner, and partially by an owner/operator. Who’s responsible for cybersecurity and other threat protection? How can all parties work together toward system-wide resilience?
Given these complexities, agencies will need to take a flexible, adaptable approach to technology development, procurement and upkeep, working across siloes and systems.
The nature of operational technology (OT) presents another challenge. Many ICS systems, for example, were originally built with a focus on reliability and safety, not cybersecurity. Furthermore, OT systems, unlike traditional IT systems, can’t be taken offline for extended periods for vulnerability testing, patching or risk assessments.
Specialized knowledge can expedite the process. Multidisciplinary teams, with ICS and security specialists, risk assessors and more, can significantly reduce the time required to conduct full range FISMA-compliant cybersecurity assessments from four to six months, down to one or two months.
Such expertise is also valuable for monitoring the threat landscape. Teams with in-depth knowledge of how OT and ICS systems are designed, how systems work together, and the vulnerabilities adversaries are likely to exploit are more likely to know the problems to look for, and the best ways of fixing them. Open-source intelligence gathering, reverse engineering of attack vectors, and deep analyses of attacks and related incidents can yield vital insights into where attacks are happening, who conducted them, and the mitigations needed to strengthen security posture.
Just as advanced technologies have heightened threats against critical infrastructure, digital innovations have risen to the fore for protecting these vital assets. For example, GPS and the supervisory control and data acquisition (SCADA) systems used to monitor and control ICS systems are both essential to power grids and electricity transmission. Tools like wargaming and strategic simulations can be used to strengthen the protection of SCADA systems and can help system program offices modernize and augment GPS systems to increase resilience against disruption.
Emerging technologies can also help us design and build more resilient infrastructure for the future and optimize our resources in this quest. For space systems, the “digital twin” concept—a kind of mirror model that synchronizes a physical object with a cyber representation—allows organizations to test satellites in different scenarios to identify vulnerabilities and strategize protection.
In the engineering and construction field, advancing technologies such as drones, LiDAR, and IoT systems are being increasingly applied to produce rich streams of data to improve the efficiency and accuracy of planning, design, construction and maintenance. As these techniques further evolve to transform traditional architect-engineering methods, this data may be used by AI to deliver planners and portfolio managers prescriptive guidance and enable real-time autonomous critical infrastructure management. When applied to best practices in total cost management, we could see the rise of total cost management analytics and machine-guided analysis. These have the potential to overhaul traditional construction and sustainment processes, giving agencies the ability to do more with less.
Just as digital transformation threatens the security of buildings, power grids, satellite systems, and more, innovation can be used to build resilience as well. These are just a few of the ways data, analytics and emerging technologies can help us protect our nation’s expansive, omnipresent and essential critical infrastructure, but we must continue to implement them in order to secure some of our most vital and vulnerable assets.
Steve Buchanan is a principal at Booz Allen Hamilton.