The invisible -- but growing -- threat to critical infrastructure
- By Matt Leonard
- Nov 04, 2016
The nation’s cities, regions and states are all connected to the internet through the water, electric and telecom infrastructure. The damage an attack on this system could have should not to be understated, security experts say.
During the Cold War, the nature of the threat and the assets requiring protection were clearly stated, according to Ron Ross, a fellow at the National Institute of Standards and Technology. The threat was nuclear, the asset was the nation. Now, in the realm of cyber, that clarity has all but gone away, Ross said.
“We think of cyber as invisible,” Ross said on a media panel at the Nov. 3 Capital Cybersecurity Summit. “We are totally dependent on these computing technologies, and they’re being distributed in every aspect of critical infrastructure,” he said. “We are flying blind. That’s dangerous.”
Michael Steed, a managing partner at Paladin Capital Group -- an investment firm that focuses on cyber -- emphatically agreed: “Hear that,” Steed said as he followed Ross. “The most critical threat is to our critical infrastructure because we’re putting more computers in it.”
Panelist debated two questions: What technologies will secure the Internet of Things, and what role will government play?
The technology will be cloud-based managed security without parameters around digital assets, according to Anup Ghosh, the CEO and founder of Invincea. It will rely on algorithms and data science to find threats that have made it into a system.
“If you’re counting on a human to find an attack, then you’ve already lost,” Ghosh said.
It starts with systems security engineering, Ross said. “We have to be able to build systems that are more penetration resistant first.”
“[The system should] use architecture and engineering to ensure that when [attackers] get in, you... virtualize them out of the system so quickly there is no time for them to exploit the attack,” he said. "Or you make it difficult to move laterally across the system, escalate privileges and go to another domain."
And who will ensure that commercially manufactured products that make up the IoT will have security built in? That will be up to both the private and public sectors, panelists agreed.
Ghosh said he believes that in the cyber realm, regulated industries like banking and medicine will continue to be overseen by the government. But for other industries, it’s harder to say. The solution must come from the private sector, both Ghosh and Steed agreed.
Because companies won’t have much of an economic incentive to build security into their products, Steed suggested the government might have to take a Marshall Plan approach and pay for companies to invest in certain security measures, the way the government paid to rebuild Europe’s infrastructure after World War II.
“Without critical infrastructure you can’t survive,” he said. “So we’re going to get to a point where ROI is not going to be the issue. The issue is, ‘How do we get these pieces of technology to the people?’ And the federal government might have to pay for that,” Steed said. “When you go to war, you don’t care how much the tank cost.”
As for the timeline for when everybody understands the severity of the problem, Steed is less than optimistic: “It may take a successful attack before they get it.”
Matt Leonard is a former reporter for GCN.