In May of 1998, President Clinton issued Presidential Decision Directive 63: Protecting America’s Critical Infrastructures. This Directive proposed steps to enact the recommendations of the President’s Commission on Critical Infrastructure Protection, published in October 1997.
Twenty years on, how are things going? The US Federal government has identified critical infrastructure sectors and associated each with a lead agency. The US-CERT (United States Computer Emergency Readiness Team) coordinates the Federal CIO Council, Government Forum or Incident Response and Security Teams (GFIRST), and the National Council of Information Sharing Analysis Centers (ISAC Council).
What’s next? Regulations are still far behind the realities of information security, and the challenges are becoming more serious. IT/OT convergence exposes weaknesses in systems that originally ran in isolated networks. Waiting for IoT or Industrial IoT vendors to voluntarily improve product security hasn’t worked since “C2 in ’92!” as Bruce Schneier puts it, the question now is not regulation vs. no regulation, but good regulation vs. bad regulation.
The most reported critical infrastructure vulnerabilities concern the power grid. The BlackEnergy vulnerability allows hackers to destroy generators by briefly interrupting their connection with the grid. After the generator falls out of phase, Aurora malware re-establishes the connection, and the generator rips itself apart. Fixing this requires updating control circuits on every generator – a massive undertaking. The US has more than 8,000 power plants. Those using conventional fuels may be vulnerable.
Another widely reported vulnerability concerns insecure electronic voting technology. Recent events have shown that such tools are too easy to disrupt maliciously. Deploying a secure, encrypted voting network would involve updating technology at more than 120,000 polling places, another massive expenditure.
Hospitals remain a significant target. Connected healthcare systems expose Operational Technology to IT vulnerabilities. Remediation is difficult as (US-based) hospital technology is FDA certified, and the certification process can take years. Changing the software in a certified device invalidates it. So health care technology software is five or more years out of date at best. There are more than 5,000 hospitals supporting nearly 900,000 patient beds in the US.
Cheaper IoT means non-IT-certified solutions are popping up. One hospital improved patient care and nurse productivity by buying inexpensive sensor pads for hospital beds in one ward. For about $60 each, they put a pad under the mattress cover. The pad notified the nurses’ station if the patient moved or if the dampness changed. That alert would bring the nurse to the patient’s bedside quickly. Rather than walking rounds, the nurses could work on charts, prep medicines, and handle paperwork. The informal experiment was so successful that the rest of the hospital followed suit, and spent about $120,000 to instrument each of the 2,000 beds. Then the head of nursing went to the head of IT and asked them to take over management of this configuration. The pads use Bluetooth, unencrypted, and were invisible to IT’s network monitoring. If the nurses had asked for fully certified intelligent patient beds the cost would have been upwards of $12,000,000 and never would have been approved. This will happen to every industry as IoT applications become affordable.
Supply chain vulnerabilities are growing. The attacks that can harm commerce through ports include “meaconing” – sending fake GPS signals to route a ship incorrectly, ransomware – which can cripple the software managing the loading and unloading of ships and trucks, and corrupting container loading stowage software to make ships unbalanced. Since each port in the world is different, mitigating these attacks will require detailed analysis of each and yield different recommendations.
Today’s critical infrastructure vulnerability is better than it was 20 years ago, but far from adequate. We have identified the potential target areas, and we have some sense of what has to happen to reduce the consequences of an attack. But we do not have the regulatory mandate to drive compliance, and voluntary measures have not, and will not, work. There is much that needs to be done.
References: Presidential Decision Directive 63 https://fas.org/irp/offdocs/pdd/pdd-63.htm
Cryptogram, Bruce Schneier, Sept 15 2018, https://www.schneier.com/crypto-gram/
What do you think? Let me know by commenting below, or reach me @WilliamMalikTM .