Securing Our Infrastructure: Not Easy, But Not Optional

The world got a glimpse of the future in December 2015, when hackers—presumably Russian—shut down a Ukrainian power station, leaving hundreds of thousands of people without electricity.

Although numerous reports had documented the vulnerability of power grids to cyber threats, the Ukraine breach was the first large-scale demonstration of the havoc a hostile organization can create with an attack on public infrastructure. In this case, power was restored after a few hours with relatively little lasting damage. The next time, things may be much worse.

Living on borrowed time

We have not yet seen a devastating cyber attack on critical infrastructure, but many experts believe one could happen at any moment. In a recent report, the US National Infrastructure Advisory Council warned that bold, immediate action is necessary in order to prevent a cyber attack that could “result in catastrophic regional or national effects on public health or safety, economic security, or national security.” The report lists 13 key recommendations, including the declassification of information on cyber risks and the development of new machine-to-machine data sharing technologies.

In Europe, a new Directive on Security of Network and Information Systems—proposed almost three years before the Ukraine power station attack—was formally adopted in 2016. The NIS Directive, viewed as a companion piece to the GDPR, establishes new standards for security in response to what the European Parliament called major threats to the EU’s financial markets, water transport systems, and other critical infrastructure.

While these are certainly steps in the right direction, it remains to be seen whether the slow progress in improving our infrastructure cybersecurity will be enough to prevent an attack that claims thousands of lives or brings one of our vital institutions to its knees.

More connected, less secure

More than eight billion devices are connected to the internet today, a number expected to grow to 20 billion in the next three years. The “smarter” our world gets, the more vulnerable we become to attacks that cause not only financial hardship or organizational embarrassment, but immediate physical harm. Thieves, terrorists, and hostile nations can now choose from a vast array of internet-connected targets, including power grids, traffic control systems, water supplies, industrial equipment, and even household appliances.

Among the many challenges to securing infrastructure assets is the fact that the Internet of Things is populated with devices that were designed to communicate electronically while using the bare minimum of electricity and computing power. Internet-enabled machines typically lack the resources needed to support encryption and other standard security technology, making them an easy target for hackers who want to redirect the devices’ traffic or disrupt their functionality directly.

Matters grow even more complicated when outdated systems are retrofitted for network connectivity. Operating systems and applications that were never intended to handle cyber threats are much more difficult to secure, often leaving security gaps that go undetected until after a hacker has gained access.

Solving the problem of resource-constrained cybersecurity is taking on greater importance as more devices come online and more hackers take aim at them. The National Institute of Standards and Technology is leading an effort to develop standards for “lightweight cryptography” that will provide stronger protection for sensor networks, embedded systems, and even RFID devices that lack an internal power supply.

Attackers will always seek the weakest point in any target. Our critical infrastructure will only be secure when we learn to protect sensitive data everywhere it exists, from the largest financial database to the smallest mechanical controls.