There's a multidimensional approach to information security in the electric sector. On the business side, we have to protect the corporate networks and data. On the operational side, critical control system security is a mandate from industry groups and regulators. Given the reality of the financial and resource commitments these approaches require, it's often easy to forget that both exist in a larger security context of critical infrastructure protection (CIP).
In today's environment of competing financial requirements, CIP is understandably less a direct driver of security than it is an indirect beneficiary of whatever protection is deemed effective and affordable for business conduct or regulatory compliance. It's not the best situation given that CIP is key to the preservation of the social and economic fabric of our way of life. That would sound like pure melodrama if it weren't so true.
Even so, and in spite of the rhetoric from government and industry groups, the concept of critical infrastructure protection is little more than that…an understated and under-socialized concept, reserved for academics and government planners, lacking any tangible national-level threat to make it a real priority.
What's the reason that a compelling and imperative concept such as critical infrastructure protection hasn't been embraced for its own sake and hasn't prompted actions to ensure its implementation and long term viability? In some respects it comes down to perceived need.
Remember that prior to 2001, the electric sector and critical infrastructure in general enjoyed an essentially threat-free environment. Infrastructure assets and systems were largely isolated from one another, and even damage from natural disasters could be localized without fear of major cascading outages. In other words someone would have to "be here" to conduct attacks against the U.S. infrastructure and the impact would probably be limited to specific assets and geographic areas.
Now the situation has changed. With the increased use of the Internet and multiple-system connectivity, the electric grid has become an interconnected and complex system of systems, with benefits of speed, efficiency and relatively low cost associated with its control and growth. From the industry perspective, the benefits were a boon for business and unprecedented growth in the use of advanced technology for grid management and communications.
Security professionals are well aware that these changes come with a significant downside. Previously closed and remotely unreachable systems are suddenly vulnerable to a host of Internet-based malicious activities. It takes little imagination to understand that the critical electric infrastructure, so essential to American society, is suddenly at risk of becoming a prime target of hackers, social activists, nation-states and even terrorist organizations, with potentially society-altering consequences.
Government and industry are attempting to address this technology adoption with cybersecurity standards and proposed legislation mandating a more reliable bulk power system. It's a good start, but the first iterations of these standards only apply to a subset of the electric sector assets. Cybersecurity in the electric sector, which typically requires a comprehensive logical protection scheme across all networks and systems, has started to look a lot more like an exercise in specific, major asset compliance than it does an all-encompassing, risk-based, infrastructure protection strategy. Though this approach is more sensitive to financial requirements and considers the sheer scope of the infrastructure, it still suffers from the lack of true commitment to critical infrastructure protection.
What are the missing ingredients? First, it goes back again to perceived need. For most people, the idea of a potential major cyberattack on critical infrastructure, one that could provide the same net effect as actual physical destruction of assets and services across major geographic areas is difficult to grasp. Because we can't see the threat and haven't experienced any real digital warfare or its effects, we don't mobilize nationally across the public and private sectors and prepare our defenses against it. Contrast that with a hypothetical situation where hostile forces are amassed at a U.S. border or a country has deployed a space-based offensive missile system. The national response would be immediate and decisive. The public would demand effective defensive measures be put in place, just in case the forces mobilized or missiles were fired. Protecting the people and the critical infrastructure would be the primary mission.
That brings us to the final missing ingredients; sufficient awareness of the threat and understanding of what we stand to lose in a major cyber incident. There are numerous individuals and groups throughout the world that are fully capable of launching cyberattacks against our infrastructure. The threat may not be imminent but it can manifest itself very quickly. If we're not actively going to pursue a national (private and public) information campaign and protection strategy, integrating strong security into our essential systems and services, the consequences to our critical infrastructure in the event of an attack could be severe. We need a "just-in-case" mentality for CIP. Our country and our way of life may depend on it.
|SECURITY 7 AWARDS|
TITLE Director IT security engineering
COMPANY American Electric Power
INFORMATION SECURITY MAGAZINE'S 5TH ANNUAL SECURITY 7 AWARDS
Make Critical Infrastructure a Priority: Critical infrastructure protection must be addressed today to protect our country tomorrow.
Government Must Keep Pace with Cybersecurity Threats: Securing the Internet means to much to the future of the U.S. economy and national security.
Report Security and Risk Metrics in a Business-Friendly Way: Security metrics must, not only provide a view of security posture, but must support security budgeting and investment processes.
Build a Security Control Framework for Predictable Compliance: Healthcare provider Humana Inc., has developed a security controls framework that addresses all of the industry and federal regulations it must comply with.
Improve SSL/TLS Security Through Education and Technology: Carnegie Mellon University's CyLab designs security to improve all aspects of society.
Communicate Effectively with Management About Risk: Learn how to communicate with senior management about risk; it's your job.
Prioritize Information Security over Compliance: Organizations need to prioritize security over compliance to ensure comprehensive risk mitigation.