The cyber risks faced by state and local governments require an integrated solution that recognizes the interconnectivity of critical infrastructure systems and eliminates “traditional security siloes,” according to a panel of experts speaking during a recent webinar hosted by Cisco.
Mark Weatherford, host of the webinar and a principal for the Chertoff Group, commented that cyber risk for governments and critical infrastructure offers “unique challenges” to plan for, respond to, and recover following an event. These risks can be further complicated by limited resources and “daunting regulatory concerns.”
According to Dr. Jeffrey Runge, senior advisor for the Chertoff Group, evaluators of risk may not realize the depth and connected nature of all the key resources that could be affected by cyber attacks. He cited government facilities, nuclear reactors, health care and public health entities, chemical plants, the financial services sector, transportation, waste and water treatment facilities, and communications capabilities, among others.
“It calls for an integrated solution, so none of these are disrupted. If one goes, they all go,” said Runge. He added, “Consequences can be grave without killing anyone. Our attention on mass disasters that kill a lot of people is short thinking. It doesn’t take a lot to cause a crisis in government and lose the confidence of the people.”
The federal government defines critical infrastructure as being “comprised of assets, systems, and networks, whether physical or virtual.” Adam Sedgewick of the National Institute for Standards and Technology explained that NIST designed its cybersecurity framework to be used by organizations in any industry, including critical infrastructure.
According to Marc Blackmer, product marketing manager for Cisco, the hurdles may come with trying to secure systems not built for interconnectivity.
“With critical infrastructure, you’re talking about industrial systems that used to live in a cocoon, those air-gapped systems,” said Blackmer. “We’ve got systems that never had to deal with information security getting thrown into a more robust threat landscape than we had to deal with in the 1990s.”
The increased connections to the Internet of Things (IoT) offers one excellent example of that expanded threat environment – while businesses gain efficiency and other benefits with the wider sphere, additional third parties also have access to systems and data.
“If an attacker wants to get to your organization, they’re not going to come in through the front door,” said Blackmer. “There’s a lot more pressure to get that security configuration intact. There’s an expansion of the attack surface…. An attacker, and even more probable, a mistake can have a bigger impact.”
Blackmer cited the example of a disrupted oil refinery losing one million dollars per hour if production shuts down. For example a refinery, if part is down, they lose a million dollars an hour.
The panel emphasized the need for a convergence of security efforts in information technology, operational technology, and physical security, merging their concerns rather than dealing with them individually.
The hot topic of interconnectivity among cyber and physical threats isn’t likely to go away soon. Weatherford recalled an old saying illustrating the divide that must be overcome, “Do I send a guy with a gun, a wrench, or a laptop to solve the problem?”
According to Cisco’s Blackmer, siloes only encourage cultural differences in organizations that should be working together as a unit to address all risks, rather than piecemeal approaches. He predicted that security workforce staffing shortfalls will exacerbate the problem over the next five years.