Critical infrastructure leaders must ‘wake up’ and invest in cyber, report says
SimonSkafar via Getty Images
By
Chris Teale
A new report from the Multi-State Information Sharing and Analysis Center warned of the threats faced by critical infrastructure and urged states to spend more to protect themselves.
A House committee meeting last month once again highlighted the cybersecurity threats that critical infrastructure operators face, especially from nation-state actors.
In written testimony before the U.S. House Committee on Homeland Security in early February, Chris Jones, president and CEO of Middle Tennessee Electric cooperative noted the “increasingly complex and perilous” threat landscape that confronts electric, water and other utilities and critical infrastructure, and most operators feel they lack enough workers to handle those threats.
Much of the nation’s critical infrastructure is managed by state, local, tribal and territorial governments. And a new report from the Multi-State Information Sharing and Analysis Center said states in particular need to invest more in cybersecurity, not only to help strengthen critical infrastructure but also to help governments that are smaller in size and so might also be less prepared for an attack. MS-ISAC also urged more national investment and strategy for cybersecurity.
One issue for critical infrastructure is that technology systems and business systems are often treated separately, Gary Coverdale, the chief information security officer for Santa Barbara County, California, said in an interview. The two need to be more closely intertwined, he said.
“A critical infrastructure attack, it can really do some damage to the environment, to the public,” said Coverdale, who is also a member of the MS-ISAC executive committee. “A cocoon approach to cybersecurity will help minimize, but you’ve got to really wake up the C-suite and board of supervisors and councils to make a budget decision to [invest]. No news is good news in cybersecurity until you get hit.”
The effects of those cyberattacks on critical infrastructure can be catastrophic. In an advisory last year, the U.S. Director of National Intelligence said that Russian-linked hackers gained remote control of water facilities, dairy systems and an energy company. And while the hackers only posted an anti-Israel message, they could also have denied access to critical services and threatened public health and safety.
But investing in cybersecurity can be challenging for governments of any size, especially the smaller ones that have limited IT resources and staff. Those governments’ cybersecurity needs then run against numerous other competing budget priorities, including schools, public safety and others.
“If you're against public safety and it comes down to a new fire truck or a security operations platform that's going to be on the back end that nobody's going to see, generally you're going to go with public safety and get that new fire truck,” Robert Beach, the chief technology officer for Cocoa, Florida, and a member of the MS-ISAC executive committee, said in an interview. “It is tough when budget dollars are constrained and we're all contending for the same dollars.”
Cybersecurity officials should make the case that their work is necessary for “business continuity,” Coverdale said, which may not be as striking as some of the things governments spend their money on, but is so important for day-to-day operations.
“It's always fun to get to buy more fire trucks and fire personnel, but business continuity is what it's all about,” he said. “Without systems and communication systems, you're not going to be able to communicate to the personnel out there running the fire trucks and getting the employees situated out there across a disaster area like the Los Angeles fires. That business continuity thought is really something you have to drive from a security perspective, because without business continuity, you've got no operations.”
In addition to direct investment, Beach and Coverdale said a whole-of-state approach to cybersecurity is necessary. That strategy involves better information sharing and partnerships between the different levels of government, as well as with the private sector and academia. “Cybersecurity is really a team sport that requires communication and coordination,” Beach said.
That also requires developing a robust cybersecurity workforce, a challenge that has beset state and local governments for years. It can be hard to find space in budgets to provide robust training, Coverdale said, so it needs different approaches, whether it be partnering with local academic institutions or the private sector. Technologists can also be retrained to work on cybersecurity, he said.
Cybersecurity professionals also need to do a better job communicating about their priorities and the challenges they face, in a bid to build trust with their residents and elected officials. Too often, Beach said, cyberattacks can feel like they happen in a “silo” with little transparency for other potential victims as well as the public. Communicating day-to-day needs is crucial too, he said.
“There's a perception for people outside of the IT and cybersecurity world where they ask, are these threats real?” Beach said. “You have to have very honest and open conversations with your local government, your organization's leadership, to let them know that these are things that can happen and that if we do invest in cybersecurity measures, there's no guarantee that we won't get hit with something. There's a perception out there that it won't happen to us.”
NEXT STORY: Top considerations for adopting a whole-of-state cybersecurity strategy