Maintaining Voluntary Measures for Critical Infrastructure Cybersecurity Could be Deadly
While we do not yet know and may never know the identity or intent of the perpetrator, we do know one thing for certain — the security of America’s critical infrastructure is woefully inadequate.
In the case of the Oldsmar, FL water system, the system was accessible over the public internet through a notoriously insecure piece of software that provides remote access to computer systems. This setup, designed for expedience, not security, goes against the most basic understanding of how to secure critical infrastructure.
Using specialized, but commonly available search engines, it is easy to identify thousands of similar Internet accessible systems. The skill required to access and modify the controls on these systems is trivial in comparison to, for instance, the skill level necessary to carry out the SolarWinds campaign, yet the consequences could be far more deadly.
Despite these concerns, there are no Federal requirements for the cybersecurity of water and wastewater treatment plants. This holds true for pipelines that transport oil and gas as well and there are only the weakest of requirements for chemical facilities, maritime facilities, and multiple other critical sectors.
It is time that we set strong, enforceable requirements to create a baseline for security and ensure owners and operators have the necessary resources to meet these requirements.
We propose a five-part solution:
First, Congress, as part of the economic recovery, should provide an influx of funding to update and modernize the aging, and insecure operational technology that sustains our way of life. Multiple bills in Congress would provide between $14 and $40 billion for this purpose.
Second, the Cybersecurity & Infrastructure Security Agency (CISA) should set strong, baseline regulations that will both inform the buildout of new infrastructure, so it is secure from the start, and set requirements so it is maintained securely. Regulations must also address legacy infrastructure and should do so in such a way as to incentive the replacement of these systems. Requirements can be flexible so as not to create a homogeneous environment but must ultimately add up to the outcome of much stronger security. With increased funding, CISA should take a larger, active role of providing and maintaining technical security solutions for smaller operators.
Third, to help owners and operators of critical infrastructure meet these regulations, the Federal government should implement a universal security fee per gallon of water so that the biggest users pay the largest share. This fee, similar to the universal service fee paid on your wireless bill or the security fee you pay when you purchase an airline ticket, would provide reimbursement to the water system in order to pay for the cost of meeting the regulations.
Fourth, these regulations should include requirements for regular testing of security against a design-basis-threat. In the nuclear industry, the Nuclear Regulatory Commission defines requirements for detection and response and also requires simulations of those capabilities in adversarial testing. The Design Basis Threat should be informed by the intelligence community based on the known capabilities of adversary nations. Critics will contend that adversarial emulation cannot work on operational networks– that these systems are so delicate and the consequences of interfering with them are so high, that testers should not be allowed into them. This is solvable and it is better to train for the fight we’re in, yet if these systems are truly this fragile, the ability of adversaries to take them down is all too real.
Fifth, because even the best security can be defeated by a determined adversary (if you build a 10-foot fence, they’ll bring an 11-foot ladder), critical infrastructure companies need to be brought into the Federal government’s intelligence loop so that the attacks hitting these networks inform collection priorities and enable offensive cyber operations when warranted. Even “near misses” like what happened in Florida must be reported, investigated, and used to inform responses.
These measures, if enacted, would give us a fighting chance to protect our way of life. Taking these steps would upend the consensus view that regulation is not necessary and that mandates cannot work. In 2021, when anyone in the world can reach out and touch the virtual controls on a Human Machine Interface that controls life or death decisions, security cannot be left to communities alone, voluntary initiatives, and bottom-line based decisions.