critical infrastructure weaken

The invisible -- but growing -- threat to critical infrastructure

The nation’s cities, regions and states are all connected to the internet through the water, electric and telecom infrastructure. The damage an attack on this system could have should not to be understated, security experts say.

During the Cold War, the nature of the threat and the assets requiring protection were clearly stated, according to Ron Ross, a fellow at the National Institute of Standards and Technology. The threat was nuclear, the asset was the nation. Now, in the realm of cyber, that clarity has all but gone away, Ross said.

“We think of cyber as invisible,” Ross said on a media panel at the Nov. 3 Capital Cybersecurity Summit.  “We are totally dependent on these computing technologies, and they’re being distributed in every aspect of critical infrastructure,” he said. “We are flying blind. That’s dangerous.”

Michael Steed, a managing partner at Paladin Capital Group -- an investment firm that focuses on cyber -- emphatically agreed: “Hear that,” Steed said as he followed Ross. “The most critical threat is to our critical infrastructure because we’re putting more computers in it.”

Panelist debated two questions: What technologies will secure the Internet of Things, and what role will government play?

The technology will be cloud-based managed security without parameters around digital assets, according to Anup Ghosh, the CEO and founder of Invincea. It will rely on algorithms and data science to find threats that have made it into a system.

“If you’re counting on a human to find an attack, then you’ve already lost,” Ghosh said.

It starts with systems security engineering, Ross said. “We have to be able to build systems that are more penetration resistant first.”

“[The system should] use architecture and engineering to ensure that when [attackers] get in, you... virtualize them out of the system so quickly there is no time for them to exploit the attack,” he said. "Or you make it difficult to move laterally across the system, escalate privileges and go to another domain."

And who will ensure that commercially manufactured products that make up the IoT will have security built in? That will be up to both the private and public sectors, panelists agreed.

Ghosh said he believes that in the cyber realm, regulated industries like banking and medicine will continue to be overseen by the government. But for other industries, it’s harder to say. The solution must come from the private sector, both Ghosh and Steed agreed.

Because companies won’t have much of an economic incentive to build security into their products, Steed suggested the government might have to take a Marshall Plan approach and pay for companies to invest in certain security measures, the way the government paid to rebuild Europe’s infrastructure after World War II.

“Without critical infrastructure you can’t survive,” he said. “So we’re going to get to a point where ROI is not going to be the issue. The issue is, ‘How do we get these pieces of technology to the people?’ And the federal government might have to pay for that,” Steed said.  “When you go to war, you don’t care how much the tank cost.”

As for the timeline for when everybody understands the severity of the problem, Steed is less than optimistic: “It may take a successful attack before they get it.”

About the Author

Matt Leonard is a reporter/producer at GCN.

Before joining GCN, Leonard worked as a local reporter for The Smithfield Times in southeastern Virginia. In his time there he wrote about town council meetings, local crime and what to do if a beaver dam floods your back yard. Over the last few years, he has spent time at The Commonwealth Times, The Denver Post and WTVR-CBS 6. He is a graduate of Virginia Commonwealth University, where he received the faculty award for print and online journalism.

Leonard can be contacted at or follow him on Twitter @Matt_Lnrd.

Click here for previous articles by Leonard.

inside gcn

  • security in the cloud (ShutterStock image)

    Cloud security is the agency’s responsibility

Reader Comments

Tue, Nov 15, 2016 Mark Goldfain

Hear, hear! In addition, I believe we need a regulatory body, and it appears it will need to be an industry-informed governmental entity. The simplistic idea of the IoT is kind of nice, but we're foolish if we implement it without more control. There is no reason that a device in our electric power distribution grid should be accessible to actors all over the world. And if it is set up that way, we deserve what we will get. I'm not an expert, but my concern is that the government does not have sufficient resources here, and I'm worried that they are therefore not taking enough action to understand and prevent a rampant development of insecure structure.

Sun, Nov 6, 2016 Roger Schell

The article states what to most should be obvious, that “The most critical threat is to our critical infrastructure because we’re putting more computers in it.” It is great to see Ron Ross state what is so commonly ignored. As he puts it, “We have to be able to build systems that are more penetration resistant first.” The good news is that we already have the technology, called a “security kernel”, to provide dramatically better security. The power of that technology is not just a theory, but has been demonstrated by multiple mature past successes. So why is this technology to do what Ron suggests so widely ignored? The article puts its finger on the nub of the problem when it says, “Because companies won’t have much of an economic incentive to build security into their products . . . the government might have to . . . pay for companies to invest.” The Communications of the ACM is one the most highly respected international journal for readers with information systems background. The article entitled “Cyber Defense Triad for Where Security Matters” in the November issue hits both these points head-on, strongly supporting Ron’s proposal.” It concludes, that use of this proven security kernel technology “can within a couple of years make our critical infrastructure dramatically more trustworthy. The U.S. government has a unique opportunity to change the cyber security game and should aggressively engage ICS manufacturers by sponsoring prototypes and providing a market using proven commercial security kernel OEM technology.”

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group