In late June, the House of Representatives passed legislation specifically aimed at securing the industrial control systems that run our nation's most critical infrastructure, from oil pipelines to water treatment facilities to the grid. These systems also run infrastructure that might not rise to the level of "critical" but are certainly important. The automated machines powering America's manufacturing industry, for example, are all powered by a software and hardware that is increasingly subject to a growing threat landscape.
This legislation is no doubt a reaction to the events of a little over a year ago, when the NotPetya malware metastasized from its original targets in Ukraine to over a dozen countries, including the United States. The US, UK, and other western powers later blamed and sanctioned Russia for the self-propagating worm, which has been dubbed the most destructive and costly cyberattack to date with damages exceeding $10 billion globally.
NotPetya and its predecessor WannaCry, both of which utilized an exploit that was allegedly developed by and later stolen from the National Security Agency, are glaring examples of how threats that have traditionally only affected IT systems are now creeping into operational technology, or OT systems like those that open and close breakers, rotate turbines, and shut down plant operations when conditions reach dangerous levels. Indeed, the IT and OT worlds are converging, meaning that the victims of cyberattacks are no longer always the primary targets.
The reason for this phenomenon can be summed up in one word: interconnectivity. Our technological worlds are converging because the "things" that were heretofore disconnected are gaining a network connection, and more connected devices are being introduced into the global digital commons. By some estimation, the Internet of Things will more than triple in size between now and 2025 to over 75 billion devices. Most of these devices are consumer-facing — like smart thermostats and home assistants — but they are also found in our industrial facilities in the form of sensors, actuators, and portable interfaces like tablets and smart displays.
These industrial devices pose the greatest potential cyber-risk to our critical infrastructure. As stated by Congressman Don Bacon (R-Neb.), the primary sponsor of the DHS Industrial Control Systems Capabilities Enhancement Act of 2018, they are "the critical interface between the digital controls in an operational process." Unlike most IT environments, where hackers are forced to overcome authentication hurdles, usually by stealing credentials or cracking weak passwords, industrial control systems have no authentication. To make matters worse, the traffic is almost always unencrypted.
While it's encouraging that the House is leaning forward on industrial cybersecurity and committed to authorizing and equipping the Department of Homeland Security to protect our critical infrastructure, this still remains largely a private sector problem. After all, over 80% of America's critical infrastructure is privately owned and the owners and operators of these assets are best positioned to address their risks.
In doing so, one of the questions companies are asking themselves is how to reconcile the risks and rewards of the interconnected world. Should we simply retreat into technological isolationism and eschew the benefits of connectivity in the interest of security, or is there a better way to manage the risk?
The former is gaining a growing chorus, especially among security researchers. The latest call comes from Andy Bochman of the Department of Energy's Idaho National Labs. Bochman argued this past May in Harvard Business Review that the best way to address the cyber-risk to critical infrastructure is "to reduce, if not eliminate, the dependency of critical functions on digital technologies and their connections to the Internet." Said differently, when it comes to our most critical infrastructure assets, we should replace digital with analog and machines with humans.
Maybe I'm influenced by my millennial bias as a networked and digital creature, but such an approach seems tantamount to surrender in the face of a rising cyber threat that is still a long way from its apex. If the goal is to achieve maximum security of our critical infrastructure at all costs, even if it means depriving asset owners and operators of real-time performance analytics and the ability to conduct remote maintenance under routine and exigent circumstances, then so be it. However, this strategy is unlikely to receive much support outside of security circles and could prove to be cost prohibitive for most organizations.
By contrast, we must accept and embrace connectivity while, at the same time, improving security. This means balancing the risks of interconnectivity to our industrial control systems with gaining greater visibility into who and what are on these networks. Interconnectivity alone is not the problem; rather, it is this interconnectivity paired with opacity that produces the greatest risk to the country's critical infrastructure.
When it comes to securing the industrial Internet of Things, we are still in very early days. Let's not raise the white flag just yet by retreating into technological isolationism. Instead, let's learn from the events of a year ago and bring together government, industry, and the critical infrastructure community to raise what are currently far too low barriers to entry for hackers.
Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info.Dave Weinstein is the vice president of threat research at Claroty and a non-resident fellow at New America. Prior to joining Claroty, he was the chief technology officer of New Jersey, where he served in the governor's cabinet and was responsible for delivering and ... View Full Bio