Protecting our critical infrastructure

Concerns about the security of our critical infrastructure — and thus, our national security — have been raised time and time again. But what is being done to deal with those concerns and risks?

At a recent security conference, I asked several attendees "what is included when we talk about our nation’s critical infrastructure?" No one could put their arms around it and provide a definitive answer.

The term "critical infrastructure" is often defined as systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on the security, national economic security, national health or safety, or any combination of those matters. They consist of physical facilities and information-based assets, in addition to communications and networks. If they were disrupted or destroyed, that would cause a serious effect on the health, safety, security and overall well-being of people or the ability of industries or the government to effectively function.

By that definition, our nation’s critical infrastructure comprises nearly 90,000 separate entities, most of which are owned and operated by the private sector. According to the the Homeland Security Department's National Infrastructure Protection Plan, created in 2006, critical infrastructure falls under one of a number of categories that include:

• Agriculture
• Banking and finance
• Chemical
• Commercial facilities
• Dams
• Defense manufacturing
• Drinking water facilities
• Wastewater treatment facilities
• Emergency services
• Energy
• Government facilities
• Information technology
• National monuments and icons
• Nuclear reactors and nuclear waste
• Postal and shipping facilities
• Public health and health care
• Telecommunications
• Transportation systems

Homeland Security Presidential Directive 7, issued in December 2003, designated DHS as the lead agency for protecting critical infrastructure. But the protection of those assets has important ramifications for the military because it relies heavily on that infrastructure.

The control systems that operate our critical infrastructure are prime targets for disruptive attacks, including cyberattacks, cyber espionage or exploitation of system vulnerabilities. The serious potential effects of hostile acts have been demonstrated by cyber incidents reported worldwide.

The U.S. power industry offers one example of the potential risks of a cyberattack. In 2007, a study that investigated control system incidents at nearly two-dozen organizations found that there is a serious need to secure supervisory control and data acquisition systems. The networks that power industrial control systems have been breached more than 125 times during the past decade, with one resulting in deaths. In January 2009, reports that our nation’s power grid had been compromised appeared in the Wall Street Journal and a report done by the European Parliament, titled “Cyber Security and Politically, Socially and Religiously Motivated Cyber Attacks,” which increased the worries of security experts in the public and private sectors.

The power industry is in the middle of a massive implementation of smart-grid technologies that the stimulus law enabled with about $3.5 billion. However, components of the future smart grid were shown to be hackable, according to security researcher Joshua Wright of InGuardians. Also, security firm IOActive found flaws in a smart-meter device that allowed its researchers to insert code into one device and have it spread to others — basically a computer virus spreading via the local power network.

Federal law and policies require critical infrastructure protection to be enhanced, and that includes the security of public and private infrastructure components that are essential to operations and our economic and national security. Yet the question remains: Who is enforcing these laws?

The U.S. government faces an increasingly formidable dilemma: The private sector that owns and operates 80 to 85 percent of our critical infrastructure faces significant economic, technical and organizational problems when it comes to securing these systems against cyberattacks.

Is our government worried about the security of our power grid? Yes — and it should be. In March, Chinese researchers at the Institute of Systems Engineering at Dalian University of Technology published a paper on how to attack a small U.S. power grid subnetwork in a way that would cause a cascading failure throughout the entire United States. How long will it take until we properly address this problem?