Critical Infrastructure Protection Looks Inward
As threat approaches have consolidated, defensive measures take the same tack.
The growing interconnection among the elements of the critical infrastructure may hold the key to safeguarding it against an increasingly sophisticated threat picture. Many elements of the critical infrastructure depend on each other, and securing them in a coordinated endeavor holds promise for combatting adversaries who are targeting it on a daily basis.
Ultimately, the key to critical infrastructure protection may lie in its varied nature. The diversity of the service provided through the infrastructure means that it touches virtually every aspect of society, and its protection may be in the hands of everyone who participates in it and is affected by it. Measures such as asset prioritization and consolidation of responses would complement coordinated efforts by governments, industry, academia and emergency responders.
“We have adversaries—four nation-states, two at the very high end—that not only have resources and capabilities, but also are advancing in their own tradecraft,” says Robert J. Butler, senior vice president for critical infrastructure protection operations at AECOM. “They’re converging between online activity with regard to collection and exploitation with actors on the ground. They’re collaborating in their own national interest with criminal actors. Russia and China are at the top of the list, followed by Iran and North Korea and then terrorists.”
Butler continues that criminal activity is increasing outside of nation-states, particularly black markets. Crypto currency activities bear watching, he notes.
“We are living in a very dangerous world, and from a national security and public safety perspective, that’s where the focus needs to be—against those actors.”
Butler offers that adversary tradecraft has increased and converged over time, so the risk to the infrastructure comes from both the digital and the physical domains. With so many assets to protect, infrastructure defenders must focus on the most valuable elements and ensure they have the highest levels of protection.
“We’re in a struggle with regard to the resiliency of critical infrastructure, both from a national security as well as a public safety perspective,” Butler declares. Economic security and business continuity are part of that struggle, he adds.
The critical infrastructure comprises lifelines that are essential for daily life, Butler notes. These include the electrical power grid, telecommunications networks, transportation, financial transaction systems, the energy supply and water treatment facilities. When any of these are affected for periods of time, severe challenges arise in terms of both national security and public safety.
Addressing the potential for challenges first must determine what kind of processes are developed. And planners face an important choice: Are the processes regulated or voluntary? If they are voluntary, then they must be incentivized to persuade more people to participate, Butler points out. The current approach is to employ both regulation and incentive, he says.
He notes that, in the high-assurance areas such as the defense and nuclear industries, the trend is to go beyond providing incentives. Government agencies are working more closely with their appropriate infrastructure elements to secure them against threats.
“In the United States today, you see a growing understanding of the threat and the need to do more,” Butler declares.
Many of these sectors are interconnected, he points out. Energy dependencies and telecommunications dependencies support water treatment and the Global Transaction Platform, which involves financial services and banks. That platform also handles transactions for oil and natural gas, Butler notes.
These lifelines are part of the community, he explains. At one level, these organizations are a city’s supporters and patrons. Mutual incentives will help steer the commercial sector and local government into working together. “They have a shared role in providing for the resilience of the city, and that’s outside of something being imposed top-down,” Butler points out.
Some firms already have instituted changes to serve public safety and security. Going beyond providing typical service-level agreement support, they are looking at ways of creating resiliency at different levels of distribution, transmission and generation. “It’s just good business,” Butler declares.
The technology providers that underpin systems controlling the infrastructure face a different challenge. As technology evolves, adversaries incorporate it and increase their threat level, so the providers must constantly innovate to stay ahead of them. Butler sees that innovation taking place, but he feels that it must move faster. These companies also must promote secure standards and interoperability.
To secure the critical infrastructure, local governments must take several measures. First, they need to ensure that everyone understands their needs, Butler says. “Some are very vocal; some we haven’t heard from,” he relates. Their responsibility to provide public safety begins with education, so they must educate their citizens on this burgeoning threat.
Local governments also need to be a convening authority to bring players together for community security and safety. And, they must build partnerships and relationships. A city can bring sectors together in different ways and help the private sector see their roles in emergency management services as well as new ways of doing business, Butler offers.
Nongovernmental organizations can make valuable contributions. Butler believes there are roles for think tanks and not-for-profits as brokers for new concepts, especially in information sharing. They also are good for promoting new ideas, he adds.
Butler calls for developing a way to perform applied research and development for cities. He suggests applying the federal development and operations (DevOps) model to the local level because cities are the entities that have the requirements. Universities might be able to partner with cities as incubators, he says.
Threats to the critical infrastructure also threaten the U.S. military, as many domestic bases rely on local infrastructure for vital support. But securing that infrastructure for the military presents several challenges. “We need to change behaviors and change culture so that we tie together, on the highest priority assets, the best resources and competencies,” Butler says. “And it’s not just helping in an incident response.
“You have to build a culture. You have to build campaigns, and you have to work together and practice together,” he adds.
Civil-military cooperation can run afoul of legal issues. Planners have been trying to find ways of distributing risk, and this entails examining liability and responsibility. He notes that stakeholders come together when they see they have a vested interest in common infrastructure, and this can be done through contractual agreements across territorial lines. “This is a time to be creative and proactive,” Butler offers.
Congress must play a role in light of cross-jurisdictional issues, he says. Legislators need to work across party and committee lines to continually increase the alignment of resources and capabilities for the highest priority assets.
Active defense can help protect the infrastructure, Butler suggests. In addition to traditional efforts such as network monitoring, this includes taking proactive measures beyond the network that preempt the threat. With adversaries constantly improving their game, infrastructure security must be more proactive, he insists. He emphasizes that this does not include hackback, but instead involves a combination of measures that provide a higher level of protection than is possible solely inside the network.
Butler cites the Jack Voltaic 2.0 exercise as a key means of improving infrastructure security (see box). What set that exercise apart from others is that it eschewed a top-down approach, in which the federal government is the focal point, in favor of a bottom-up approach driven by first responders and emergency management services. “That gives you a different look,” Butler explains. “They’re the ones on the front lines, whether it’s a natural hazard like a hurricane or a cyber breach, and they’re the ones that are going to have to pull it together first.”
By thinking about how the top down and bottom up come together, planners look at critical infrastructure differently, he continues. The interdependencies among the sectors become more apparent, and participants begin to work through playbooks, information sharing and analysis organizations, service level agreements and building a culture of campaigns.
“We need to be in a campaign cycle,” Butler states. “This threat is not going to stop. We have to deter it … but at the same time we have to increase resiliency. We have to be ready for responding to these kinds of converging threats.”
The bottom-up approach also provides a better perspective on programmatic changes, especially in policy and law. Funding issues come to the fore: local governments have very little money for infrastructure protection. And, the roles played by regional organizations such as the Federal Emergency Management Agency (FEMA) come into play.
Technology will serve a vital role in infrastructure security—in some cases helping to define it beyond supporting it. Butler notes that Jack Voltaic 2.0 went beyond a tabletop model and introduced a virtual constructive environment built by a company known as Circadence. Modeling and simulation can serve a valuable role by visualizing different hazard scenarios and human responses. As a result, planners can think beyond point assessments to overall readiness, he states.
Butler cites an example of how nontraditional local capabilities can assist in disaster response. The University of Houston participated in Jack Voltaic operationally, and one of its capabilities came through its campus broadcast station. This facility can be used for datacasting directly into police cars. “Understanding what different players can do outside of their traditional roles, and practicing, is another part of this [exercise approach],” he allows.
“We have to develop a net assessment function” Butler declares. “We have to develop a capability where we can begin to understand where the threat is going.”
This includes evaluating technology advances for both the United States and its allies. Experts must determine where advanced technologies such as artificial intelligence and machine learning take both groups, as well as how incoming capabilities such as 5G will affect critical infrastructure threats and protection. This should include where the United States will have a relative advantage and where risk will increase.
But even with this type of assessment, ultimately it will require broad engagement to maintain security for the critical infrastructure. “We have a vested interest—all of us, as citizens—to work together to begin to protect the things we are dependent on,” Butler warrants.