Critical Infrastructure at risk for a Cyberattack
Critical infrastructure and services are systems which keep life livable from canal systems in ancient times allowing drinking water to flow in Babylonian cities to gas to heat homes on an island in Rhode Island. They are systems that cover energy, communications, transportation, financial, and healthcare. Anything necessary to sustain a civilization. Whoever controls the infrastructure controls the power over the people. And our critical infrastructure at risk.
Infrastructure touches everyone in everyday life in the US. In 2013, about 3 percent of the US population lived “off the grid” not dependent on electric, gas, and water systems. However, they are still dependent on healthcare, financial, and other products manufactured for basic needs. So no one is truly off the grid.
When it comes to US critical infrastructure and services, we are beyond potential cyber risks. The cyber risks to our critical infrastructure and services are here now. The US has an aging critical infrastructure system making those systems an easy target for those who wish disruption upon us. That could be political, financial, or ideological gains. Or just for the bragging rights in their circle knowing that they can do it.
The reason for the critical infrastructure at risk.
Developed on PLC (programmable logic controller) some 40 years ago, it was made to be a workhorse for operating critical infrastructure. Security wasn’t a widespread concern when developed hence it was fundamentally insecure from the get-go. Many of the systems were meant for remote viewing by engineers for monitoring or updating without a login that allows the device to be discoverable.
Add in that infrastructure systems such as the power grid where many use the software in the control system developed by different vendors. While they speak the same protocol, it may be said in a different dialect. An example would be the difference between British and American English. While we essentially understand each other in conversation, they will be misunderstandings based on word meanings and spelling. The same can happen with the software. These misunderstandings in the control system leave it open to exploit and making it very easy for a computer network exploitation (CNE) and a computer network attack (CNE) to take place.
This leaves the US in a very precarious situation. Infrastructure is all connected regardless of what sector you mention. What comes to mind is a spider web. It is a strong interconnected structure flexing against the wind; however, if something is inserted in the web, it tears apart. Once strands are broken weakening the structure it will fail. The same can be said of the critical infrastructure. For example, in the Northeast, natural gas is used to create electric via a steam unit. If there is a natural gas outage, then there is no gas going to heat the water to create steam which causes no electric to be generated. Many back-up industrial generators use natural gas to kick on when electric is interrupted. What uses electric? Localized water systems could be affected as well as banking systems as people can’t access their cash money. All the pieces are connected. When critical infrastructure fails, people return basic instincts. Think about natural disasters and destabilizing they are to people dependent on having food, water, heat, money, and wifi internet.
How can we increase resiliency?
The start is having a full understanding of how it is all interconnected, what would happen in a breakdown, and how large the impact would be to all sector such as commerce and healthcare. The next step would be understanding what needs to be either updated or rebuilt then what the priorities are for those improvements. After that, it would be how much and how long will it take. Lastly, getting everyone to agree on above and actually having the will to make it happen.
Healthcare is a critical service.
Healthcare is a critical service. How prepared a hospital is, depends on the resources available to the hospital. As Pam Crocker who is Newport Hospital’s director of facilities services and planning, and emergency preparedness coordinator (try getting that on a business card) said during the recent Newport gas outage in The Newport Daily News on Jan 22, 2019, “The hospital needs to be prepared for storms, power outages, and other events.” Newport Hospital, as the sole medical facility for two islands with a total population of over 66,000 residents, has to be prepared to handle a disruption to the critical infrastructure such as energy. They are on a dual fuel system enabling them to simply switch to oil for heat instead of gas. Having alternative systems allows them to continue operations uninterrupted.
Does that make them undisruptable under a large-scale coordinated cyber attack? No, but it allows them time.
Read more about cybersecurity.