Securing Connected Critical Infrastructure - the Next Big Challenge

Today’s spotlight continues to expand on cyberthreats, particularly to critical infrastructure, evidenced most recently by President Barack Obama’s Executive Order – Improving Critical Infrastructure Cybersecurity. Aimed at building on the government’s partnership with critical infrastructure owners and operators, perhaps the most important directive in the order is the collaborative development of an effective framework of standards, practices and procedures under the National Institute of Standards and Technology. While there is much debate among stakeholders regarding whether such a framework should be mandatory or voluntary, and whether it contains within it the foundation for a stronger regulatory approach, it’s clear we need such a framework.

In the past, an organization’s operational technology (OT) — which, for example, serves to open and close valves, as well as regulate turbine speeds and even systems that mediate the clearance of international financial transactions — was not built to use the Internet or connect with an organization’s enterprise information technology architecture.

Today, however, organizations are starting to see the potential benefits of linking their OT and IT systems and adding devices to their infrastructures with Internet protocol addresses. A great deal of benefit can be gained from enriching our lives with this technology. Indeed, the worst possible answer is letting fear, uncertainly and doubt constrain us from making the best use of our best technology.

Instead, in the cybersecurity world, we have to find a way to get the wolf away from the door, not lock ourselves in our homes and enjoy this ecosystem of information technology that we have created. As a country, our greatness is characterized by solving problems at the technology frontier, rather than retreating from them.

In the end, this means building a secure, seamless ecosystem that goes from the mobile device in our pocket all the way to the programmable logical device that’s embedded in a power plant turbine, a pipeline or an air traffic control system. Accomplishing this will be our next big challenge, and getting this done will require strong collaboration between industry and government.

In the near term, organizations looking to link their operational and information technologies need to examine carefully their plans for this interconnection, assess the results and security from that interconnection, start to perform gap analysis between what they have and what they need, and develop an action plan to close those gaps. This is hard work, but it needs to be done.

And, we must go further. The National Institute for Standards and Technology, which the President’s Executive Order discusses, may be key in helping develop really secure cyberecosystems. To solve this technology challenge requires a national research agenda that stimulates the development of standards and encourages discussion as to how these standards can be realized rapidly.

We’re facing the emergence of two huge vulnerabilities: unsecured mobile devices and unsecured operational technology. Resolving these vulnerabilities is not something that will happen instantly. Instead, it’s going to require effective collaboration between industry and government. That action is likely to be voluntary, but some type of regulation may prove necessary as well.

Because inevitably someone will see the cost benefits of linking their operational and information systems. And while we shouldn’t be in a rush to make that transition, the pressures to make that transition at some point will be almost irresistible.

In this video, I share my quick take on the importance of getting serious about cybersecurity for power plants, hospitals and other critical infrastructure.