This blog post is an excerpt from GovLoop’s recent guide, “Your Guide to U.S. Critical Infrastructure.”
A primary responsibility of the Department of Homeland Security (DHS) is maintaining and securing the assets, systems, and networks comprising 16 critical infrastructure sectors. That’s no easy task and – as Caitlin Durkovich, the Assistant Secretary for Infrastructure Protection within the National Protection Programs Directorate, and Marty Edwards, Director of Industrial Control Systems Cyber Emergency Response Teams (ICS-CERT) explained – it’s only getting more difficult.
In a recent interview with GovLoop, Durkovich and Edwards explained how critical infrastructure is becoming more complex to monitor, maintain, and secure in the light of an ever-changing and complex world. “We’ve gotten very good at preparing for the consequences of the higher frequency, lower consequence events like tropical storms, tornados and small earthquakes,” said Durkovich.
She also said they were prepared to confront other common security incidents like physical insider threats and even low-grade terrorist attacks.
Those perils still exist for critical infrastructure sectors. However, new risks and challenges are also emerging. Durkovich and Edwards described the fluid landscape of critical infrastructure today as vulnerable to an increased connectivity of cyber systems and an amplified interdependency between sectors challenge critical infrastructure owners and operators.
What’s probably most ubiquitous is the expanding network of IT systems connecting critical infrastructure to the Internet. “Almost all of the sectors, and even some outliers that people don’t necessarily think about, are becoming more and more dependent on cyber-enabled devices,” said Edwards.
While those digital capabilities allow infrastructures to be monitored and maintained in innovative new ways, the connections they rely on also create new vulnerabilities. As Edwards noted, “Anywhere there is a connection, there is a risk.”
Of course, increased cyber connectivity and the risks it brings is not a new occurrence in our everyday lives. However, Edwards impressed the serious impact that connectivity can have in critical infrastructure. “You know, it’s one thing if a single person gets their hard drive locked by a ransomware attack, and has to pay several hundred dollars to get it unlocked,” he said. “It’s a totally different scenario if an entire hospital is unable to perform their medical duties because all of their computing infrastructure has been taken ransom.”
While many private sector companies are taking steps to secure those connections, Edwards said many companies are also struggling to initiate effective cybersecurity strategies. “That’s our biggest challenge,” he said. “We’re trying to level the playing field to get all of the owners and operators of these critical assets to recognize that cyber is a real risk that they have to plan and mitigate for.”
This enhanced cyber connectivity is also creating more ties between sectors, as they all become interlocked on the same physical and cyber grids.
“What we have seen is an evolution where it is increasingly difficult to bucket and bin the world of critical infrastructure neatly into 16 sectors,” Durkovich said. “In part, that’s because you have companies that operate in multiple sectors. But more importantly, it’s because we have created this complex ecosystem of critical infrastructure, where you have critical functions that are dependent on other critical functions.”
To confront that reality, the department and its partners are moving away from an asset-focused approach to maintenance and security. Instead, they look at the interconnectivity of sectors to mitigate the “cascading impact” that one service disruption might have on others. However, that holistic approach requires better coordination and new skills to create.
DHS Resources Help Bridge the Gap
Durkovich summarized the primary challenge DHS seeks to address: “How do you continue to build a critical infrastructure workforce that understands the aging, older infrastructure, yet has the skills to bring that company into the modern era, and understand all of the principles that we’ve been talking about here today?”
To create a private sector capable of maintaining and securing an increasingly complex critical infrastructure environment, the department provides a number of services including coordination, training, and education of asset owners and operators.
“We have a number of different ways that we coordinate with both private and state and local owners of critical infrastructure assets,” Durkovich said. “The first is really on the ground. We have over a hundred protective security advisors. These are security specialists who are in every state and major urban area to bring to bear the suite of DHS resources. They can do a vulnerability assessment of a critical infrastructure facility – helping owners understand where their strengths and weaknesses are and where they can make investments to improve that security and resilience posture.”
To increase the efficacy and reach of these collaborations, Durkovich said DHS is beginning to integrate more small and medium-sized businesses, as well as non-traditional private sector partners like churches and community centers, into coordinated efforts.
However, the department faces a unique challenge in achieving that objective. While Durkovich mentioned one program where her office has direct oversight of high-risk chemical facilities, most of the department’s collaboration with the private sector is done on a voluntary basis. Similarly, ICS-CERT’s partnerships with the private sector are not mandatory, instead relying on a willingness from infrastructure owners to invest in cybersecurity.
Where DHS cannot play a central role in daily operations and collaboration, the department provides training so that others can bring the necessary security skills into private companies and critical infrastructure assets.
“The government itself is certainly challenged with hiring enough cybersecurity professionals, and we work every day on various programs to try to help bridge that gap – whether it’s our advanced university placement programs and partnerships we have with educational institutions, or our own internal training,” Edwards said.
Finally, DHS maintains a wealth of educational resources to make critical infrastructure best practices available to all sectors. Edwards pointed to multiple DHS resources for securing critical assets connected to the internet as a primary asset. Those resources are available online. “And in the case of some sort of incident or event, owners and operators are certainly welcome to reach out to us, and we can deploy a team if necessary to help them deal with the effects of whatever has occurred,” he said.
That’s the key role that Durkovich’s and Edwards’ DHS teams play in creating a robust critical infrastructure ecosystem. While they build the strategies and plans to strengthen the nation’s critical infrastructure, their real objective is to empower and enable private owners and operators to manage an increasingly complex environment of critical assets.