Introduction
Critical infrastructure is the main support system of the nation’s national and economic security. It includes national backbone such as power plants, electric infrastructures, water resources, transport system, financial structures, chemical facilities, emergency services, and cyber networks so as to make the people safer and to provide them with services and facilities such as highways, stadiums, shopping malls, and federal buildings (Hatton, 2013). These infrastructures have been smoothly integrated by ICT to make the systems more resilient, reliable and effective (Hatton, 2013). Hence, cyber infrastructures are also synonymous with advanced telecommunications, industrial control systems and critical infrastructure assets (Hatton, 2013).
Cybersecurity is crucial to a safe and developed future. In the U.S., the total electronic commerce transactions is estimated to be $200 billion annually (NIST Website, 2012). Everything has been done through online transactions such as getting a driver’s license and banking. All the U.S. physical infrastructure, air transportation, railroads, mass transit and other transport systems, the electric power grid, factories, and telecommunications rely on a complex array of computer networks (NIST Website, 2012).
While this wide and encompassing interconnectedness via the Internet is very beneficial, it is also very susceptible to various vulnerability. The various threats to the security and reliability of cyberspace are from many sources such as the hackers, very advanced, organized crime groups, terrorists, and even countries involved in cyber wars.
There are also vast costs to the nations when these cyber and critical infrastructures are attacked. The Consumer Reports national survey showed that spam mails, maalwares, computer viruses, and phishing cost the American consumers an estimated $5 billion in 2010 alone (NIST Website, 2012). In a research finding of 45 medium and large companies (with employees more than 500), the Ponemon Institute found the cost of cyber crime cost at an annual average of $3.8 million (NIST Website, 2012). This estimate does not even include routine practices such as the procurement of antivirus software. This is just, however, the costs involved in directly coping with associated cyber security issues such as infringed intellectual property, viruses, malware, bank account thefts, and other issues.
As the importance of online transactions pervades, the security of the country’s cyber infrastructure should be secured. The U.S. government should work with the private sector to reduce cybercrime-related losses and increase confidence in cyber communications systems. Just this month, U.S. President Barack Obama executed an Executive Order (EO) on cyber security. He also issued a Presidential Policy Directive (PPD) on crucial infrastructure security and resiliency. These double directives shall fortify the protection and resilience of critical infrastructure against all the dangers of a modern and wide national framework which acknowledges the enhanced function of cyber security in safeguarding natural assets (Napolitano, 2013). Cyber security safeguards are considered a major step in ensuring the infractructures in the new environment. A cornerstone of this endeavor is the upgraded information sharing programs that will facilitate the flow of critical infrastructure information among key stakeholders.
The Department of Homeland Security (DHS) is the federal and lead agency which coordinate the national protection, prevention, mitigation, and recovery from cyber infrastructure incidents. It regularly administers critical infrastructure owners and operators to initiate the processes of fortifying their facilities and communities (Napolitano, 2013). The DHS also carries onsite risk evaluations of critical infrastructure and shares risk and threat information with various government levels such as the state, local and private sector alliances Napolitano, 2013).
The DHS has created the National Cyber Security Division (NCSD) ten years ago as a lead national center to address cyber security issues and to coordinate the implementation of the cyber security strategy in the United States (Department of Homeland Security, 2007). They also network with owners and operators to provide security to the nation’s critical infrastructure. Generally, the American public expect these two agencies to lead in the safeguarding of the country’s ever growing cyber threats.
Analysis and Assessment of the Cyber Infrastructure and the Need for Security
Since these national infrastructures have far reaching benefits to the nation, they will also be a major point of attack and vulnerability. For instance, the smart grid systems which integrate all the electricity and power supplies of the different U.S. states will be very attractive to terrorist attacks (Roulo, 2013). Industry members and policy makers are concerned of the security of the cyber infrastructures and their corresponding industrial control systems. While the nation has not yet experienced a major breach of critical infrastructure, all signs show that it is very much exposed to possible attacks.
Aside from the increased incidences of attacks, the industry is also worried that these attacks are becoming more and more sophsiticated (Roulo, 2013). The Advanced Persistent Threat (APT) attacks have mainly altered the cyber threat world by introducing an enemy, which is more likely supported by nation states which can be successful (Roulo, 2013). Hence, with a sophisticated expertise and funding and good organization, the attackers can succeed in attacking the APT and breaching its security systems. In this line, it is not enough that there are mandated federal standards, excellent practices and normal perimeters. It requires increased and quick information network as well as giving flexibility to the owners and managers of crucial infrastructure. The mandate of the U.S. government is to enable the industry to have the said flexibility and agility (Roulo, 2013).
Another point of vulnerability is the dramatic increase of the organizations which operate and hold control infrastructures related with critical infractructure beginning 2010 up to 2011 (Roulo, 2013). Mostly from the private sectors, these owners and operators take cyber infrastructure security most seriously. They continuously work together sharing information and best practices. They have been overcoming the attacks due to the voluntary partnerships which created an ecosystem which protect ICT systems from attack instead of the traditional risk protection systems (Roulo, 2013).
Cyber infrastructure are considered high-value targets from both tactical and economic standpoint (The Chertoff Group, 2013). There are many issues involved in securing infrastructure sites and it varies from location to location. The major areas which make them vulnerable include the constancy in their attacks, the continuous probe to their weak and unsecured, access points, and the discretion by which these attacks are carried out. Attacks on cyber infrastructures are sophisticated ones. They are engineered for a single objective by some of the most intelligent minds in information security (The Chertoff Group, 2013). In most cases, these attacks are state-funded and the teams who make them have generous resources.
For instance, many nations, like China, have heavily invested in cyber weaponry in previous years (Archaya, 2012). They have the capacity to gather information and take down high-value targets at their priority lists. Lastly, and perhaps most bothering, is the inability of these facilities to determine not only where they are vulnerable to attack. They also lack the full udnerstanding of how networks are run through the Internet (The Chertoff Group, 2013).
In sum, the critical infrastructures such as public utilities are constantly a target of interest. The purveyors of these threats include the following: cyber war, cyber terrorism, cyber crime, and hacktivism (Petersen, 2012). The U.S. is the leading country when it comes to cyber war. Yet, there are also other countries which also carry the same capacities. As nations gear towards both their defense and offense capabilities, it can be said that most of them are cyber war ready. Cyber war is a very potent and unique instrument and it provide a very powerful deterrence against nations with superior, traditional powers. If a nation is capable to show the world that it can collapse another nation’s energy system, the latter’s tactical and diplomatic choices could be significantly lessened and influenced.
While the impeding cyber war might seem very conscious, it should not be ruled out. The U.S. has an army of 20,000 cyber warriors (Petersen, 2012). Russia and China have the same figures. Most countries in Europe have forces the same way as North Korea and Iran have. There are imminent threats since countries spend millions of money in training and maintaining cyber war forces (Petersen, 2012).
Just like cyber wars, cyber terrorism also poses the same threat. They only differ in the application of their resources and capabilities. However, a powerful threat could come from a cyber terrorist entity partnered with a country or large criminal groups. The major difference, however, is that cyber terrorists do not involve themselves with foreign laws against the attacks of civilians or civilian facilities (Petersen, 2012).
The need to problematize the security of cyber infrastructure can be illustrated by the disconcerting threat of a cyber attack on the systems controlling pipelines which carry natural gas and oil or the electrical infrastructures which lights the whole nation (NIST Website, 2012). According to experts, the large cyber attack could cause energy disruptions and blackouts coming from the country’s reliance on energy reserves.
Two main issues involve the safety of the nation’s critical infrastructure, majority of which belongs to the private sector, are cyber threats and address prospective weaknesses in the global landscape of the ICT supply chain (2011 Nationwide Cyber Security Review, 2012). With regards to crucial infrastructure, the present voluntary public-private partnership model has givn private-sector owners and managers adaptability to confront attacks as they exist, especially as cyber attacks have multiplied in both numbers and complexities.
As electricity is one of the major and most critical infrastructures which rely on cyber infrastructure, it is good to know that the ICS/SCADA can be protected (TIA Website, 2013). The strategy to protecting ICS/SCADA is the same as protecting any high value cyber tool with some remarkable characteristics (TIA Website, 2013). Since the major operational objective of ICS/SCADA is its availability, reforms in the present infrastructure might not be possible or feasible in support of common, best practice security architecture. The protective monitoring strategy is the best approach since the introduction of traditional network security devices may not be feasible as it depends on network latency concerns (TIA Website, 2013). The installation of security software on ICS/SCADA devices is not also an answer.
A protective monitoring approach to cyber security needs the use of common, preventative technologies such as IPS, firewalls and anti-viruses, among others. It is supported by the introduction of aggressive and real-time monitoring means through the cyber infrastructure which support high value cyber assets (2011 Nationwide Cyber security Review, 2012). The goals of a protective monitoring approach are to: deflect attacks if possible, know the successful or pending breaches quickly and in real-time, give effective circumstantial awareness and intelligence within a breach, and allow quick remediation actions (2011 Nationwide Cyber security Review, 2012).
Technology is not the only reason for susceptibility and protection (2011 Nationwide Cyber Security Review, 2012). There must also be a very intelligent organizational process to be implemented to support incident response in a timely and effective way. Organizations which do not have the internal capability of designing, implementing, and sustaining effective technology and process should consider a Managed Security Services Provider (MSSP) to aid them fill organizational capability gaps (2011 Nationwide Cyber Security Review, 2012).
However, even with MSSP, utilities cannot be protected in the threat landscape. Nation states will continue to develop their cyber warfare capabilities (ICS-CERT, 2012). The capacities of cyber terrorists are likely to quickly improve and attacking critical infrastructure is very low-risk, high-impact strikes (ICS-CERT, 2012). Cyber criminals continue to find new ways to steal and extort. Hacktivists also get bolder by the day and some utilities will most likely be attacked in the future. It is good that the above mentioned protective monitoring approach to securing ICS/SCADA environments is very effective in thwarting these and other threats.
As specified by various reports and studies, the instrument to enhancing the cyber security of crucial infrastructure is to empower the general cyber landscape which allows quick information sharing, improves public private partnerships, and gives sufficient investment to confront present and emerging threats (Clapper, 2012).
The general benefits and impacts as expected outcomes of these initiatives include:
- Development of enhanced management tools for further protecting cyber security in Internet-based cloud computing and improving the use of automation, thereby producing improved industry competitiveness for the U.S. IT and more cost-effectiveness for both business and government operations (NIST Website, 2012).
- The emergence of privacy-enhancing, trusted authentication solutions given by the private sector which increase productivity and innovation while lessening losses for business and enhanced individual protection against cyber crime.
- Better dissemination of more effective cyber security education materials as outcomes of an educated workforce which is more equipped to consistently utilize best practices which protect themselves and their organizations.
A major criticism of the federal government's management of threat information is that it takes information sharing a one-way street (Hatton, 2013). It wishes that the private sector be generous with its information sharing with the government but it also wants the private sector to limit what it shares with the other private stakeholders. Trust must be a primary element in the sharing of information (Hatton, 2013). It needs trust on both parts – trust on the U.S. government to disclose information as quickly and consistently as possible as well as trust on private companies’ receipt of information so as to share them back with the government (Recommendations of the House Republican Cybersecurity Task Force, 2011).
Provide your opinion, together with experts' opinions based on reference material. Be sure to refer to scholarly and peer-reviewed journals and books written material (see appropriate links below) in order to support your opinion.
Conclusion
The defense of cyber infrastructure and the critical infrastructure, in general, is founded on the best partnership between the public and the private sectors. It also relies on the cyber security policy in the last ten years. Hence, the success of critical infrastructure owners and operators in preventing growing threats and attacks has resulted from the voluntary, public-private model. This model is capable of developing along the changes that go along critical infrastructure and the geenral risk surroundings. As both volume of facilities and the number and complexity of the attacks balloon, it is really critical to leverage and develop the present public-private sector partnerships and alliances.
The changes from the successful public and private partnership model to a mandatory regulatory regime would have a negative effect on the security and safety of critical infrastructure. The multi-faceted public and private sector partnership is the key to success in the naturally complex mission area (Recommendations of the House Republican Cybersecurity Task Force, 2011). This has paved the way for more coherent and closer partnership among government and private sectors. The integration of multi-jurisdictional and multi-sectoral authorities, capabilities and resources in a coherent and adoptive approach which can also be customized to particular sector and regional risk environment and oeprating environments is the main path to successfully develop the U.S.’ cyber infrastructure safety.
In sum, the public and private sector partnership model for cyber infrastructure security attains what the previous models did not accomplish such as: 1.) cooperation instead of compliance; 2.) an integral and adoptive approach to confront cyber attacks; and 3.) avoidance of costly and redundant requirements and hence, allowing resources to be focused on cyber security protection rather than obsolete exercises.
It must be the role of the U.S. government to greatly develop the capacity of the private sector to share their information data with the government (NIST Website, 2012). The present laws which have been passed from the House of Congress with wide, bipartisan support, such as the Cyber Intelligence Sharing and Protection Act would make important strides to attaining this purpose. Congress must eliminate the barriers to promote more open and effective collaboration. Also, the cyber security and infrastructure industry should work together and further develop standardized, integral methods to collect, analyze and report data breaches at an international level to sustain both the government and the industry in the thrust of better conceiving cyber security threats (NIST Website, 2012). In short, two heads are better than one and it is very apt with securing the critical infrastructre of the U.S.
References:
2011 Nationwide Cyber Security Review. (2012). A Summary Report. Retrieved on July 24, 2013 from, http://assets.fiercemarkets.net/public/sites/govit/2011ncsrsummary.pdf.
Acharya, Amitav. (May 6, 2012). China’s Rise and Security in the Asian Century. EastAsiaForum Website. Retrieved on July 23, 2013 from, http://www.eastasiaforum.org/2012/05/06/china-s-rise-and-security-in-the-asian-century/.
Clapper, James. (January 31, 2012). Worldwide Threat Assessment of the US Intelligence Community, Senate Select Committee on Intelligence Hearing. Retrieved on July 24, 2013 from, http://intelligence.senate.gov/120131/clapper.pdf.
Hatton, Mark. (2013). Critical Infrastructure is the New Battleground for Cyber Security. Security Week. Retrieved on July 23, 2013 from, http://www.securityweek.com/critical-infrastructure-new-battleground-cyber-security.
ICS-CERT. (June 2, 2012). ICS-CERT Incident Response Summary Report (2009-2011). Retrieved on July 24, 2013 from, www.us-cert.gov/control_systems/pdf/ICS-CERT_Incident_Response_Summary_Report_09_11.pdf.
Napolitano, J. (2013). Strengthening Cyber Security for the Nation’s Critical Infrastructure. DHS Website. Retrieved on July 23, 2013 from, http://www.dhs.gov/blog/2013/02/14/strengthening-cybersecurity-nation%E2%80%99s-critical-infrastructure.
NIST Website. (2012). Ensuring a Secure and Robust Cyber Infrastructure. Retrieved on July 23, 2013 from, http://www.nist.gov/public_affairs/factsheet/cybersecurity2012.cfm.
Petersen, Chris. (2012). Securing Critical Infrastructure: A Cyber Security Call to Action. The Tech Herald. Retrieved on July 24, 2013 from, http://www.thetechherald.com/articles/Securing-Critical-Infrastructure-A-Cyber-Security-Call-to-Action.
Recommendations of the House Republican Cybersecurity Task Force. (October 19, 2011). Retrieved on July 24, 2013 from, http://thornberry.house.gov/UploadedFiles/CSTF_Final_Recommendations.pdf.
Roulo, Claudette. (2013). Nation Must Defend Cyber Infrastructure, Alexander Says. U.S. Department of Defense. Retrieved on July 23, 2013 from, http://www.defense.gov/news/newsarticle.aspx?id=120391.
The Chertoff Group. (2013). Point of View: Improving Critical Infrastructure Cybersecurity. SafeGov Website. Retrieved on July 23, 2013 from, http://safegov.org/2013/2/13/point-of-view-improving-critical-infrastructure-cybersecurity.
TIA Website. (2013). Securing the Network: Cybersecurity Recommendations for Critical Infrastructure and the Global Supply Chain. Retrieved on July 23, 2013 from, http://tiaonline.org/policy/securing-network-cybersecurity-recommendations-critical-infrastructure-and-global-supply.
