The New Threat to Critical Infrastructure
While airport security concerned Americans well before Sept. 11, 2001, our most recent Unisys Security Index results found that 59 percent of Americans are now seriously concerned about it. Additionally, 57 percent of Americans have serious concerns about security at large public gatherings.
However, what we found especially interesting is that Americans are just about as concerned about the security of critical infrastructure (such as bridges and power plants, 61 percent; and cargo security, 56 percent), as they are about air travel.
The security of this critical infrastructure extends beyond simply protecting physical assets. Threats are now arising from the cyber realm, and our physical infrastructure is actually at risk of electronic attacks.
This is reflected in The White House Cybersecurity Legislative Proposal that was presented last week. President Obama prioritized cybersecurity following a number of attacks against our critical infrastructure — such as those centered on the electricity grid, financial sector and transportation networks:
“The Nation’s critical infrastructure, such as the electricity grid and financial sector, is vital to supporting the basics of life in America. Market forces are pushing infrastructure operations to put their infrastructure online, which enables them to remotely manage the infrastructure and increases their efficiency. However, when our infrastructure is online, it is also vulnerable to cyber attacks that could cripple essential services.”
It is clear, from both the Unisys Security Index findings and the cybersecurity proposal, that everyone from officials at the highest levels of government to the average U.S. citizen is concerned about protecting the nation’s critical infrastructural assets. And it has become essential that the government and businesses guard those assets with special attention paid to any piece of infrastructure connected to the Internet.
How can this be done? To start, businesses need to take a holistic view of their data and how it is being secured. Many businesses are getting burned because they are only looking at the perimeter of their infrastructures. That is not to say that physical security is no longer important. Organizations should continue to invest in surveillance and biometrics-based security to provide insight into who is gaining access to their facilities and data. But physical security alone simply doesn’t cut it anymore.
As the White House cybersecurity proposal mentioned, critical infrastructure assets like the electricity grid are now network-enabled — controlled through the Internet. Too often they are wide open to cyber threats, threats with which they haven’t contended in the past. Coordinated attacks against an unprotected critical asset can take down the access control system, making it easier for hackers to then gain access to more central controls to a facility. In worst-case scenarios, an attack could bring down nuclear plants or disrupt the entire nation’s energy grid.
The threat isn’t merely theoretical. For example, back in September 2010, Iran came under the attack of the Stuxnet worm. The worm searched for software made by a well-known European company, and was routinely used to control systems in industrial facilities such as power plants. The worm can reprogram a critical infrastructural control computer’s commands, and issue it a new set of instructions. Many experts agreed that the worm attack was actually an act of cyber warfare.
FBI Director Robert Mueller put it quite clearly when he said at a recent security conference, “A cyber attack could have the same impact as a well-placed bomb.” It is clear that businesses that operate, service and own critical infrastructure have reason to be concerned about cyber attacks and need to start thinking about ways to secure the cyber dimensions of the infrastructure without causing issues with service.
As my colleague, Patricia Titus, CISO for Unisys, said recently, “Resources will need access permissions. Information (including e-mails!) will need to be encrypted. Device use will have to be monitored — including desktops, laptops, smartphones, tablets; anything that taps the organization’s data. Firewalls will have to get smarter to monitor all information, to ensure sophisticated techniques are not being used.”
At the end of the day, whether we like it or not, we need to understand that there will unfortunately be more frequent and more complex coordinated attacks against not only online assets like websites, but also the Internet-enabled systems that manage our nation’s critical infrastructure. All the stakeholders need to work toward a coordinated response that ties in both physical and cyber security if we are to protect ourselves from the diverse range of threats emerging in today’s Web-enabled world.