When it comes to security, the physical affects the digital and vice versa. There's no longer a distinction; the two are intrinsically linked and converged. At the same time, our infrastructure is old — most of it was designed for far fewer people than it currently serves, whether we're talking about power lines or train crossings.
We're already seeing how the physical can affect the digital. That's the case with Ukraine and Russia right now — everyone is worried about both physical invasion and cyberattacks. This is combined cyber/physical conflict for the 21st century.
Yet most cybersecurity defense efforts are focused only on the digital network side, which is negligent when dealing with critical infrastructure. And even the digital side isn't always being well-protected. For instance, a recent report by one control systems cybersecurity expert found that over 3,000 smart instruments in one petrochemical facility had no passwords — even by default — potentially making the industrial environment that much more vulnerable. This needs to change.
Taking a Hard Look at OT Systems
Legacy structures and legacy technologies must be addressed. America's infrastructure is aging and outdated; in fact, the American Society of Civil Engineers gave it a C-minus on its quadrennial infrastructure report card — with the transit system getting even lower marks.
Not only are the physical structures — the bridges, the roads — themselves run down, but so are the systems within most types of infrastructure (i.e., the sensors that control train crossings). The way things are done is also outdated. For instance, in most of the US, we still have our power lines aboveground, where they are vulnerable to common occurrences such as massive snowstorms that can take down a city's power. In other countries, including much of Europe, power lines are often underground. Why isn't this the case for the US in 2022? The major reason is cost.
In addition, knowledge and skills gaps persist. Like many industries, operational technology (OT) faces a skills gap, particularly when it comes to the technical skills needed for more modern systems. And today, the convergence of IT and OT means you need skills for both. Applications and critical services are built on both physical infrastructure and digital, and they're inseparable.
On top of these challenges, many infrastructure systems are located in remote, hard-to-reach areas, and the sheer volume and mass of devices and power lines makes it difficult to deal with. It's also expensive to replace all these aging systems — President Biden's infrastructure bill is a big step toward fixing some of those issues, but it's going to take a long time for these changes to be made.
Bringing Physical and Digital Security Together
Organizations have aging systems that are too often undersecured, creating a greenfield opportunity for bad actors. We're seeing an increasing number of attacks against critical infrastructure — from oil pipelines to municipal water supplies and more. We can't seem to go a day without hearing about yet another ransomware attack, and attacks against critical infrastructure can have far more dire consequences.
What affected organizations need to do in order to bolster defenses is to bring digital and physical security together more than they are currently. It's all about systems thinking. For instance, doctors don't diagnose a problem in insolation; they look at the whole person and determine if the condition is caused by stress, environmental factors, disease, and so on. Without a whole perspective, organizations are just treating systems and are then puzzled when they can't find the root cause.
Digital and physical systems need to be treated as inseparable. There must be more collaboration across the cybersecurity industry, critical infrastructure industries, and the public sector. We need new training/education initiatives for the existing workforce and leadership that can bring forth fresh, innovative, and creative ideas. And we need stronger standards, regulations, and compliance mandates, with real legislation and policy changes to provide the funds that will tackle the high costs of building stronger infrastructure.
Partnering for a More Secure Future
It's long past time to merge digital and physical security to ensure critical infrastructure remains uninterrupted. The rise we've seen in ransomware attacks against the sector is a testament to this reality. Bringing effective cyber and physical security to this vulnerable sector requires the often-daunting task of upgrading legacy OT systems to more secure, modern versions — but it must be done.
Some legacy assumptions need new ideas, too; burying power lines is just one example. And this sector needs to find innovative ways to staff these new requirements. Private/public partnerships will help gather resources, information, and innovative ideas. Such infrastructure "think tanks" will help bring the transformation needed to protect not just the buildings, systems and processes, but the citizens who rely on them.