Our nation's critical infrastructure is an arena where security is absolutely imperative. Because of the proliferation of cyber threats, the notion of being fully secure now encompasses the virtual realm. Cyber protection is important in every sector, but the absence of such measures in critical infrastructure assets threaten to cause the most damages, since the maintenance of such resources are imperative for the functioning of society. If a critical asset like electricity, oil and gas or public health were to be infringed upon by a cyber attacker, this could cause problems on a scale we've never witnessed with regard to virtual crime.
A problem in critical infrastructure security
Given the extreme importance of both physically and virtually securing critical infrastructure, one might assume that government organizations have that covered. But when it comes to virtual defense, preparedness does not seem to be the case. As reported in Network World, a recent industry report by Enterprise Strategy Group regarding cyber defense and critical infrastructure returned a concerning statistic – namely, that a mere 22 percent of respondents pointed to the country's cyber security strategy as being "extremely clear and thorough." The largest single percentage of respondents – 47 percent – suggested that the policy is only "somewhat clear and thorough," while a full one-quarter of those who responded had concerns that our country's strategy "is somewhat unclear and not very thorough."
The lack of confidence among cyber security professionals in the ability of our government to prevent cyber attacks does not instill confidence when it comes to robustly defending our nation's critical infrastructure assets. This is serious cause for concern, since cyber criminals have demonstrated in recent months that they're more powerful than ever, leveraging attacks that have left even massive companies powerless.
A similar attack on critical infrastructure has the potential to be massive in terms of its impact. Consider, for instance, the northeast blackout of 2003. That event – which was caused not by a hacker, but by a software glitch – resulted in large chunks of the American northeast and midwest losing power for up to two days. During this time, the affected regions largely ground to a halt. People waited for trains that were massively delayed, as diners in restaurants ate by candlelight. As a result of the incident, the U.S. took an estimated $6.4 billion earnings hit. This kind of disaster situation – or worse- can now be orchestrated by cyber criminal groups that are able to infiltrate critical infrastructure networks. Such a scenario must be avoided.
Finding a solution: Training and other measures
The need to boost cyber defense for critical infrastructure is clear. But the question now becomes, How do we get there? Reporting for Network World, Jon Oltsik pointed to some things that cyber security professionals say the feds need to do in order to boost critical infrastructure security. Here are some of those steps:
- Create better information sharing strategies with private sector: Cyber security experts largely seem to agree that in order for an optimal level of security across all sectors, cooperation is key. According to Oltsik, cyber workers feel that there's not enough being done to promote information sharing between the government and the private sector. This lack of transparency is inherently stifling progress that otherwise could be taking place in the field of cyber security analytics.
- Roll out a cyber education strategy: In order to truly protect critical infrastructure, you have to have individuals who are qualified in that line of work. Therefore, it's necessary for cyber education to become a bigger priority within the U.S. government – which is something that Oltsik says is not currently happening.
"In my humble opinion, the U.S. is lacking a cybersecurity education strategy which nurtures and funds national centers of cybersecurity excellence," he stated. But he added that he's optimistic. "Yes, there is a lot of work ahead, but there are some existing cybersecurity training programs that are worthy of a lot more promotion as many of these are already extremely effective and valuable."
One of the programs Oltsik pointed to is the cyber education program that's currently being harnessed by the state of Maryland. This effort includes the Maryland Cybersecurity Center at the University of Maryland. This center is devoted to cyber education at all levels, with training starting for children in grades four and five. The center's teaching efforts extend beyond grade school to encompass college and graduate training. At the highest level, students who train with the program can earn a Master of Engineering in Cybersecurity. Equipped with this degree, graduating individuals can go out into the world and become the next generation of cyber defenders. But in order for this to happen successfully, the effort needs to go beyond Maryland. While there are cyber security education and training programs at other schools and centers around the country, there's a lack of an overarching structure when it comes to such preparation. A cyber education training strategy at the national level would mitigate this problem.
- Carry out crisis scenario exercises: When it comes to critical infrastructure, an actual disaster isn't the time to discover if a certain asset is prepared. Such preparation needs to take place in advance, in crisis scenario exercises that simulate how a response team would handle a sudden incident. This is something that the Organization of American States already does, as Adam Blackwell, the OAS' Secretary for Multidimensional Security, pointed out in a forward to a Trend Micro report.
"The OAS responds to countries' needs by developing and carrying out technical assistance missions designed to address their concerns," Blackwell said. "This typically involves site visits, policy reviews and presentations by local authorities, culminating in a series of recommendations by experts." This is the kind of thing that critical infrastructure assets that organizations should incorporate into their cyber preparation.
Critical infrastructure assets need to be stringently guarded, which means that cyber security measures in this sector will have to improve. The risk of attack is too great to pursue anything but the most robust defensive strategy possible.