Strategic Cybersecurity, Module 14: Critical Infrastructure.
The U.S. government’s approach to protecting critical infrastructure from physical and cyber attacks has evolved over the past half-century, with presidential administrations creating various entities to better protect the country’s infrastructure. This lecture discusses this history and discusses the creation of Information Sharing and Analysis Centers, or ISACs.
Once you have completed the readings, lecture, activity, and assessment, you will be able to
- Articulate the meaning of critical infrastructure
- Articulate why cybersecurity is important for protecting critical infrastructure.
Welcome to Strategic Cybersecurity, Module 14: Critical Infrastructure. By now you are undoubtedly gaining an appreciation for how vulnerable countries are to cyber intrusions. You've read about the Stuxnet virus, which manipulated and destroyed uranium centrifuges at the Iranian nuclear facility in Natanz.
Your readings for this module covered Project Aurora, which demonstrated how a computer virus could physically destroy a commercial power generator. However, concerns about the vulnerability of infrastructure, especially critical infrastructure to cyber weapons, goes back decades to the early 1990s.
Although there are many definitions of critical infrastructure, it is generally defined as infrastructure that is so vital, its incapacity or destruction would have a debilitating impact on the country's defense and/or economic security.
The government's approach to protecting critical infrastructure from both physical and cyber attacks has evolved over the decades, and each presidential administration has left its mark on effort.
Cuban Missile Crisis
The initial recognition that aspects of our national infrastructure were vulnerable and needed to be protected can be traced back to President John F. Kennedy and the Cuban Missile Crisis. Kennedy was purportedly frustrated by his inability to speak directly with Nikita Khrushchev and, following the crisis, signed an executive order establishing the National Communication System.
The National Communication System
The National Communication System focused on making our telecom infrastructure more interoperable and easily survivable in the event of a nuclear war.
Later, in the 1970s and '80s, in response to multiple natural disasters, the government established the Federal Emergency Management Agency in order to better coordinate state and federal emergency response efforts and protect critical infrastructure.
Presidential Decision Directive 39
Additionally, following a series of terrorist attacks in the early and mid-'90s, President Clinton signed Presidential Decision Directive 39, which laid the groundwork for the Department of Homeland Security, designated federal agencies for specific emergency response missions, as well as created the Critical Infrastructure Working Group.
The Marsh Report
Following that effort, President Clinton signed Executive Order 13010, which established the Commission on Critical Infrastructure Protection, also known as the Marsh Report, and highlighted two kinds of threats to critical infrastructure: physical and electronic.
Highlighting that critical infrastructure was vulnerable to electronic, or what we today would call cyber attacks, was groundbreaking at the time.
In fact, it is very instructive to read the opening pages of the Marsh Report to get a sense of the recognition that the world was quickly changing and new vulnerabilities were being created.
For instance, the report noted:
the electronic technology of the information age challenges us to invent new ways of protecting ourselves now. We must learn to negotiate a new geography, where borders are irrelevant and distances meaningless where an enemy may be able to harm the vital systems we depend on without confronting our military power.
Executive Order 13010
Executive Order 13010 also defines specific critical infrastructure sectors, to include telecom, banking, electrical grid, gas and oil, transportation, water supply, continuity of government, and emergency services.
Although the number of designated critical infrastructure sectors has fluctuated with each presidential administration, today there are a total of 16 recognized sectors.
As was mentioned in the last module, one of the problems with regard to protecting critical infrastructure in the United States is that nearly 90% of it is owned by the private sector, and, historically, there have been problems with the private and public sectors sharing threat and vulnerability information.
To address that, President Clinton signed a presidential directive promulgating the creation of a series of Information Sharing and Analysis Centers, or ISACs, to “help critical infrastructure owners and operators protect their facilities, personnel, and customers from cyber and physical security threats and other hazards.”
ISACs do this by collecting, analyzing, and disseminating actionable threat information from both the government and private organizations to their members in the hope that both physical and cyber threats can be rapidly identified and mitigated.
Although ISACs are considered important organizations in helping secure our nation's infrastructure, many experts believe they do not go far enough, in the sense that participation in them is voluntary. In fact, Rosenzweig proposes the creation of a congressionally chartered nonprofit corporation, akin to the Red Cross, that would federalize responses to major cyber intrusions and provide a forum in which defense-related private sector information could be shared without fear of compromise or competitive disadvantage.
This does seem like a good idea, but, as always, the devil is in the details.
Private corporations would likely interpret any mandated actions from the government as regulation and fight tooth and nail against them. Going forward, as more and more industrial and service sector processes become automated, a workable solution between the government and private sector will have to be reached. To understand how pressing this situation is, one has to look no further than a video of Project Aurora.
Quiz Question 1: True or false: SCADA systems can be used to operate critical infrastructure components via an Internet connection.
The answer is True.
Quiz Question 2: Which of the following is not an example of critical infrastructure?
A: Electric grid.
B: Transportation systems.
C: Communication systems.
D: Internet service providers.
The answer is D: Internet service providers.
Quiz Question 3: True or false: Most industrial control systems (ICS) controlling our nation's infrastructure are connected to the Internet and are, therefore, vulnerable to attack.
The answer is True.
The activity for this module asks that you download the 1997 “Critical Foundations: Protecting America's Infrastructure,” available on the Federation of American Scientists website.
Review the report, and determine how accurate this report was when it was published 20 years ago. Is the report still relevant? What do you think should be modified or added to bring it up to date?