Protecting Our Nation's Critical Infrastructure

Recent reports of our nation’s power grid being compromised that appeared in the Wall Street Journal and in a report by the European Parliament titled “Cyber Security and Politically, Socially and Religiously Motivated Cyber Attacks” have increased the angst of security experts in the public and private sectors.

 

Concerns over critical infrastructure security were raised significantly when the GAO testified before the Subcommittee on Emerging Threats, Cyber Security, and Science and Technology, Committee on Homeland Security, House of Representatives. In their testimony, officials said that cyber attacks against nation-states and others demonstrate the potentially devastating impact these pose to systems and the operations and critical infrastructures that they support. They also concluded that without the key attributes, US-CERT did not have the full complement of cyber analysis and warning capabilities essential to effectively perform its national mission.

 

The term Critical Infrastructure is defined as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on the security, national economic security, national health or safety, or any combination of those matters.”

 

The assets mentioned above are further sub-divided into three categories:

 

1.       Physical – Physical assets may include both tangible property (e.g., facilities’, components, real estate, animals, and products) and the intangible (e.g., information). Physical protection becomes an even more difficult task when one considers that 85 percent of the nation’s critical infrastructures are not federally owned. Proper protection of physical assets requires cooperation between all levels of the government and within the private sector.

2.       Human – Human assets include both the employees to be protected and the personnel who may present an insider threat (e.g., due to privileged access to control systems, operations, and sensitive area and information). Those individuals who are identified as critical require protection as well as duplication of knowledge and authority.

3.       Cyber – Cyber assets include the information hardware, software, data, and the networks that serve the functioning and operation of the asset. Damage to our electronic and computer networks would cause widespread disruption and damage, including casualties. Cyber networks link the United State’s energy, financial and physical securities infrastructures.

 

According to the U.S’s National Infrastructure Protection Plan (Department of Homeland Security, 2006), critical infrastructure categories include: Agriculture, Banking and Finance, Chemical, Commercial Facilities, Dams, Defense Manufacturing, Drinking Water, Wastewater Treatment, Emergency Services, Energy, Government Facilities, Information Technology, National Monuments and Icons, Nuclear Reactors and Waste, Postal and Shipping, Public Health and Healthcare, Telecommunications, and Transportation System.

 

NOTE: Homeland Security Presidential Directive 7, issued in December 2003, designated DHS as the lead agency for protecting critical infrastructure.

 

In multiple meetings with President Obama, numerous leaders have reportedly have pushed for a second stimulus package. The response to these calls thus far has been "no, not yet."  Lately, Obama has tried to subdue calls for a second stimulus package often stating that the Recovery Act has worked as intended. This has left many to ask the question, ‘Okay, what next?’ One thought is that the second stimulus package should address fortification of the critical infrastructure of the U.S. against cyber attacks.

 

A second stimulus package that truly focuses on securing the control systems of our critical infrastructure would be money well spent. Not only would it create jobs and improve our ailing economy, it will move to protect our country against cyber attacks that are becoming aggressive, more sophisticated and more successful. Industry experts, military leaders, elected officials and leaders from federal law enforcement agencies have spoke publically about the threats posed by cyber attacks. If that does not paint a scary enough picture, try to imagine the conversations taking place in classified settings about the attacks and infiltrations we never hear about. Experts agree it’s time we get prepared!

 

The full white paper can be downloaded here.