United States: Critical Infrastructure Security: The Need For A Twofold Approach

One night last spring, snipers attacked a relatively remote electrical substation near California's Silicon Valley. In what appears to have been a very carefully planned strike, the perpetrators cut underground communication cables, and then, under cover of darkness, opened fire on the substation equipment with automatic weapons. They damaged 17 large transformers before police were able to respond.

Fortunately, the region did not experience any power outages, as operators – once they became aware of what had happened – were able to re-route some power around the damaged facility, but it took the utility a month to repair the equipment. The attackers were never caught.

The California facility was not deemed a "critical interconnect," meaning that damage to it was unlikely to have a catastrophic impact. In fact, there are only about a hundred electrical facilities nationwide that are deemed "critical" in the sense that damage to them would result in wide-spread, long-term outages. Law enforcement officials, however, have speculated that incident may have been a dress rehearsal for a more significant attack to come. Even if it was not a trial run, the event certainly provides a strident wake-up call regarding the need to give equal weight to physical threats, and not to focus solely on the cyber side of the equation.

To date, the discussion surrounding critical infrastructure protection has been focused on "cyber" threats

Until recently, discussions about "cybersecurity" have taken place primarily among technical experts. However, massive cyber breaches involving several large retailers over the Christmas holidays made personal data protection a dinner table conversation across the nation. Those breaches have further spurred efforts already underway by law- and policy-makers to stave off a looming cybersecurity crisis.

Specialized task forces are studying that problem. A handful of colleges and trade schools now offer cybersecurity courses in their curricula. Congress holds regular hearings on cybersecurity, inviting panels of experts to explain what is being done, or to opine on what more needs to be done. And, there is a growing sense among the general public that advances in the technology that is essential to our increasingly high-tech lives is rapidly outpacing our ability to secure it.

However, the sniper assault on the California electrical facility spotlights the fact that threats to our nation's critical infrastructure need not be high-tech, and in fact, need not be high concept.

Now, the security conversation has begun to take a new turn toward "physical" threats.

According to some reports, physical threats to critical infrastructure not only are far more likely to cause significant damage, they are far more prevalent. In December 2013, Foreign Policy magazine highlighted the low-tech nature of the attack on the California substation, and noted that although there is a lot of focus among policymakers on cyber threats, there has never been a confirmed power outage caused by a cyber attack in the United States.¹

Another recent report, this one by the Wall Street Journal, found that there have been 13 serious cyber attacks at utilities over the past three years and 274 physical attacks on US critical infrastructure.² Indeed, our experience with powerful storms in recent years as well as widespread blackouts triggered by trees hitting transmission lines has revealed just how vulnerable our electrical grid is to physical damage.

This is not to say that the cyber threats are less important, or any less deserving of attention. A Department of Homeland Security team indicated in 2012 that US infrastructure, including the electric grid, water utilities, and so forth, is targeted almost daily by hackers and cyber spies.³ While the majority of these efforts are relatively harmless, involving email viruses and automated probing that even computers owned by individuals fall victim to, the growing number of instances of attempted access by sophisticated "threat actors" increases exponentially each year.

Regulators address physical and cyber threats

Multiple groups are currently grappling with the question of what can and is being done to address these threats. Regulators tasked with overseeing critical infrastructure are taking the situation very seriously. Last fall, in a dramatic assessment of the ability of the nation's electrical infrastructure to withstand a significant and prolonged assault, the North American Electric Reliability Corporation (NERC), in cooperation with thousands of engineers, utility executives, cyber specialists and FBI agents, conducted a two-day emergency drill involving simulated physical and cyber attacks at numerous locations throughout the country. The New York Times described the exercise as an "unprecedented continental-scale war game" where millions of hypothetical customers were left without power and numerous transmission lines and substations were "damaged or destroyed".⁴

Known vulnerable points on the US grid were the primary focus of the mock attack, but the drill also involved multiple other strikes of varying scale – both cyber and physical – at a host of other locations. Data from the drill is still being analyzed, but the project has allowed utility leaders and operators to assess their own responses and to begin to think about changes that should be made.

Meanwhile, a number of coordinated national efforts to address critical infrastructure vulnerability are under way. On the cyber side, perhaps the most visible project has been the development of the National Institute of Standards and Technology (NIST)'s voluntary framework for improving critical infrastructure cybersecurity.⁵ The project was initiated pursuant to a 2013 Executive Order⁶ issued after several years of congressional inaction on the matter.

The NIST framework, released in February of this year, is the result of cooperation by public and private sector entities to craft a set of standards, best practices and guidelines that can be adapted to manage a variety of risks across industries, with flexibility built in to accommodate differing business needs, resources available to manage cyber risks, and risk tolerances.

The guidelines and recommendations "focus[] on using business drivers to guide cybersecurity activities and consider[s] cybersecurity risks as part of the organization's risk management processes." The principles and best practices set forth in the framework are designed so that they can be used by organizations both with and outside the US, "regardless of size, degree of cybersecurity risk, or cybersecurity sophistication."

Government oversight may not be enough

While many applaud the NIST framework, skeptics have expressed reservations about both the voluntary nature of the framework and about the organization's track record in security standards. Specifically, some critics have pointed out that while NIST should be well-versed in the subject matter because it already oversees security standards applicable to government systems, the government has not earned an "A" grade in protection of its own systems.

The Senate Homeland Security and Governmental Affairs Committee in February issued a report that finds cyber breaches are "disturbingly common" in the government's own systems.⁷ "[A]gencies – even agencies with responsibilities for critical infrastructure, or vast repositories of sensitive data – continue to leave themselves vulnerable, often by failing to take the most basic steps toward securing their systems and information," the report says.

Among a list of unflattering criticisms of government agency data protection, the report says that the Department of Homeland Security has failed to implement "the sort of basic security measure[s] that just about any American with a computer has performed." It also notes that frustration with some government agency IT departments and procurement processes have driven some government offices to "effectively [go] rogue – by buying and deploying their own computers and networks without the knowledge or involvement of the [government's] so-called IT experts."

Also highlighted is the Nuclear Regulatory Commission's storage of "sensitive cybersecurity details for nuclear plans on an unprotected shared drive, making them more vulnerable to hackers and cyberthieves." The Department of Defense and the General Services Administration have also both issued reports this year urging the importance of buttressing the government's own cyber security, and the Director of National Intelligence told Congress in February that cyber threats top the list of the annual global threats assessment.⁸

Improving security of the electrical gird

Separate from the NIST initiative, the Federal Energy Regulatory Commission (FERC) has taken steps to improve security – both physical and cyber – of the electrical grid. That agency has directed utilities to implement controls such as system security management, recovery plans and vulnerability assessments, and is requiring public utilities to meet increasingly stringent critical infrastructure reliability standards.

What is new, however, is the more flexible approach that FERC has taken, including a number of tailored protections that are applied in varying degrees depending on an entity's potential impact on the grid.⁹

FERC has also just directed NERC to come up with new reliability standards to require regulated entities "to take steps or demonstrate that they have taken steps to address physical security risks and vulnerabilities related to the reliable operation of the Bulk-Power System" -- the large interconnected electrical system made up of generation and transmission facilities and their control systems -- with particular focus on facilities "that, if rendered inoperable or damaged, could have critical impact on the operation of the interconnection through instability, uncontrolled separation or cascading failures on the Bulk-Power System."¹⁰

In the case of the electrical grid, the regulators may be preaching to the choir. Many utilities are currently faced with an immediate need to replace or improve aging infrastructure and equipment. Grid security is just one more reason that investments in improvements are needed. Whether caused by a storm, failure of outdated equipment, cyber attack or physical vandalism, the interruption of power is not good for business. In fact, utilities are expected to spend more than $7 billion on infrastructure security over the next five to seven years.

Some measures will be small, such as improved monitoring of critical infrastructure sites. Bigger ticket items are already being addressed as a means of "hardening" utility assets against extreme weather, with the added benefit that technologies that would improve resiliency during violent or extreme weather conditions could also help to mitigate or prevent physical attacks on the grid. Some of these investments may require regulatory approval, and there may be constraints related to existing rate structures and on-going disputes over socialization of infrastructure costs, but these challenges are not new to utilities.

The greater challenge may be reconciling an often sluggish regulatory pace with the urgency of making necessary changes. One unmistakable lesson from the California incident is that something far more commonplace and far less powerful than a once-in-a-century storm has the potential to cause a huge disruption, and there is no luxury of time to get it right.

Customizing real-time solutions requires flexibility

On the cyber side, as both the NIST and FERC approaches recognize, there will be no one-size-fits-all solution to what is a continuously evolving problem. A flexible, even voluntary, approach may be the most workable blueprint out there, as rigid regulation can accomplish only so much.

Despite cries for more regulation, it can take years for rules to be crafted and implemented under the best of circumstances. In the context of cyber security, creation of safeguards is all the more difficult because the target is always moving. Technology advances occur far faster than lawmakers can react. Measures that are static and do not have an adequate degree of flexibility to respond quickly to change are doomed to fall short of their goals during the lag time it takes to address or even understand the implications of new developments.

The private sector, working cooperatively with regulators, is far more likely to make real progress. The risks and resources may vary from one sector or enterprise to another, but the goal of preventing disruption is shared. Establishing guidelines or minimum benchmarks, and then allowing those most impacted to design creative, customized solutions in real time rather than trying to conform to rules that are outdated as soon as they are enacted, may be the only approach.

The one certainty is that both cyber and physical security require attention. To focus too much on the cyber side ignores at least half of the risk, and probably ignores the more immediate threat.

Footnotes

1. See Military-Style Raid on California Power Station Spooks U.S., Foreign Policy (Dec. 27, 2013).

2. See http://online.wsj.com/news/articles/SB10001424052702304851104579359141941621778.

3. See http://www.dhs.gov/news/2013/05/16/written-testimony-nppd-house-homeland-security-subcommitteecybersecurity-hearing; see also Electric Grid Vulnerability: Industry Responses Reveal Security Gaps (May 21, 2103).

4. See Attack Ravages Power Grid. (Just a Test.), The New York Times (Nov. 14, 2013).

5. The NIST framework.

6. Executive Order - Improving Critical Infrastructure Cybersecurity (Feb. 12, 2013)

7. See "The Federal Government's Track Record on Cybersecurity and Critical Infrastructure".

8. See James R. Clapper, Director of National Intelligence, Statement for the Record, Worldwide Threat Assessment of the US Intelligence Community (Feb. 4, 2014).

9. See http://www.ferc.gov/industries/electric/indus-act/reliability/cybersecurity.asp.

10. See FERC Directs Development of Physical Security Standards (March 7, 2014). See also Reliability Standards for Physical Security Measures, Order Directing Filing of Standards, FERC Docket No. RD14-6-000, 146 FERC ¶ 61,166 (2014).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.