Public Private Partnerships And The Cybersecurity Challenge Of Protecting Critical Infrastructure
In the U.S., most of the critical infrastructure, including defense, oil and gas, electric power grids, health care, utilities, communications, transportation, education, banking and finance, is owned by the private sector (about 85 percent according to DHS) and regulated by the public sector. The public and private relationship in operating and protecting critical infrastructure requires a strong working partnership.
Protecting the critical infrastructure poses a difficult challenge because democratic societies by their nature are interactive, open and accessible. Because of the growing digital connectivity (and interdependence) of both IT and industrial control systems, critical infrastructure is facing an evolving and sophisticated array of cybersecurity challenges.
A recent survey of professionals in industries using industrial control systems (ICS) and operational technology (OT) commissioned by Tenable from the Ponemon Institute found that 90 percent of respondents say their environment has been damaged by at least one cyberattack over the past two years, with 62 percent experiencing two or more attacks. The survey of security professionals also revealed that nine in 10 critical infrastructure providers have experienced cyberattacks that rendered their systems out of action in the last two years.
The global threat actors are terrorists, criminals, hackers, organized crime, malicious individuals, and, in some cases, adversarial nation states. Earlier this year it was revealed by security researchers from FireEye’s Mandiant Incident Response and Intelligence team that Iran had engaged in a multi-year, global DNS hijacking campaign targeting telecommunications and internet infrastructure providers in the Middle East, Europe, and North America.
Director of National Intelligence Dan Coats recently stated that “the threat was growing for a devastating cyber assault on critical U.S. infrastructure, saying the ’warning lights are blinking red again‘ nearly two decades after the Sept. 11, 2001, attacks”.
Critical infrastructure is the core of our nations’ prosperity and well-being and addressing the threats to it requires incorporating a robust calculated security strategy of public and private sector partnering. Cybersecurity relies on the same security elements for protection as physical security: layered vigilance, readiness and resilience.
For example, energy security and the power grid requires private public cooperation and regulatory coordination among industry and Department of Homeland Security (DHS), Department of Energy (DOE), and the Department of Defense (DOD). The power grid and other industrial infrastructure have been increasingly subjected to both physical and cybersecurity attacks in recent years. According to Israel Barak, CISO at Cybereason, “most countries are still vulnerable to cyber-attacks on critical infrastructure because the systems are generally old and poorly patched. Power grids are interconnected and thus vulnerable to cascading failures.”
Protecting critical ICS, OT, and IT systems from cybersecurity threats is a difficult endeavor. They all have unique operational frameworks, access points, and a variety of legacy systems and emerging technologies. The explosion of connected devices comprising the Internet of Things and the Industrial Internet of Things is daunting. The trends of integration of hardware and software combined with growing networked sensors are redefining the surface attack opportunities for hackers across all digital infrastructures.
According to the DHS Alert (TA17-293A) threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors since at least 2017 and, in some cases, have leveraged their capabilities to compromise victims’ networks. Historically, cyber threat actors have targeted the energy sector with various results, ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict. Analysis by DHS, FBI, and trusted partners has identified distinct indicators and behaviors related to this activity.
It’s a global threat not just against the United States. In 2017, Hackers use Triton, a specialized malware to compromise critical safety systems at Schneider Electric. The malware is still being used to target industrial systems. Because of the sensitivity to the threats to national security and changing threat matrix of hackers augmented by newer technologies such as machine learning and artificial intelligence, the government is prioritizing the importance of the risk management approach to defend against more sophisticated malware and automated attacks targeting critical infrastructure. An effective risk management approach necessitates information sharing that helps allow government and industry to keep abreast of the latest viruses, malware, phishing threats, ransomware, insider threats, and denial of service attacks. Information sharing also establishes working protocols for lessons-learned and resilience that is critical for the success of mitigating incidents.
A cornerstone of that approach is creating Public Private Partnerships (PPP) based upon risk management frameworks. A high level of public-private collaboration is needed to address growing cyber-threats. Preparation and commitment from both government and industry leadership is critical. Industry should collaborate with government to best utilize risk management models and prepare resiliency plans.
The specifics of an industry security approach may vary according to circumstances, but the mesh that connects the elements is situational awareness combined with systematic abilities for operational management and critical communications in cases of emergency.
In the federal civilian sector DHS’s new agency, Critical Infrastructure Security Agency (CISA) puts a keen focus on DHS’s integral role in cyber preparedness, response and resilience for critical infrastructure. DHS has identified 16 infrastructures deemed critical because their physical and digital assets, systems, and networks are considered vital to national economic security, safety and national public health. CISA’s stated role is to coordinate “security and resilience efforts using trusted partnerships across the private and public sectors, and deliver training, technical assistance, and assessments to federal stakeholders as well as to infrastructure owners and operators nationwide.”
At DOD, Former Commander of the U.S. Cyber Command and former Director of the National Security Agency hailed the importance of the public-private cybersecurity partnership stating that “collaboration is critical given growing threats to everyone from cyberspace.” DOD and the National Security Agency (NSA) are working closely with the private sector in information sharing and in developing solutions to evolving threats.
Whether the U.S. critical infrastructure protection security mission includes DHS, DOD, DOE, the intelligence community, or other government agencies, a public/private security strategy to meet growing challenges needs to be both comprehensive and adaptive. The same formula applies to other democratic nations sharing operations across industries and infrastructure.
In an ecosystem of both physical and digital connectivity, there will always be vulnerabilities, and a breach or failure could be catastrophic. Mitigating evolving threats and being resilient to breaches are paramount for critical infrastructure protection. There is little room for error and success in PPP is dependent on information sharing, planning, investment in emerging technologies, and allocation of resources coordinated by both the public and private sectors in special working partnerships.
Chuck Brooks is the Principal Market Growth Strategist for General Dynamics Mission Systems for Cybersecurity and Emerging Technologies. He is also Adjunct Faculty at Georgetown University’s Applied Intelligence Program and graduate Cybersecurity Programs. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn.”He was named by Thompson Reuters as a “Top 50 Global Influencer in Risk, Compliance,” and by IFSEC as the “#2 Global Cybersecurity Influencer” in 2018.