Forbes: What The Cybersecurity Of Our Critical Infrastructure Can Learn From The Climate Change Debate
December 4, 2018
Contributed by Ira Goldstein, SVP of Corporate Development at Herjavec Group
Even calling climate change a debate stirs emotions in advocates on both sides of the political spectrum. The deniers on one side consider the repeated warnings from scientific authorities and government agencies to be no more than hype. Changes in climate are a cyclical feature of the long arc of human history. The believers on the other side consider complacency in the face of climate change warnings to be nearly criminal.
In some senses, the original believer was the English philosopher Thomas Malthus. One of his most controversial beliefs was that the rising population and inevitable food shortage would lead to the loss of human life as part of a type of natural population control. He believed our natural ecosystem performed “Malthusian Checks” to bring the population level down to a number that our planet could support. Malthus held a pretty grim view of the world that was eventually discredited by technological advancements in food production, globalization and reports that environmental disasters are linked to changes in climate.
How Technology Infrastructure And The Environment Are Linked
Rather than wading into this debate or evaluating Malthus’ place in history, consider the parallels between changes in our environment and changes in the security of the technology that powers our global infrastructure. The critical systems that run our lives -- power, water, waste -- are enabled by technology that has for decades been isolated to support their primary function. These systems are commonly known as operational technology (OT) or, specifically, industrial control systems (ICS).
These are systems built to work, every time, for a very long time, with minimal deviation or error. These services are deemed critical because of the importance of their output to our lives. In the developed world, without any one of these core functions, our modern lives would be turned upside down. In the developing world, several, if not all, of these services are absent, leading to a lack of opportunity or substandard living conditions at worst. We have come to rely on these services as part of normal, daily life, and their presence gives us a sense of security. Without them, our economic productivity would be greatly affected, and we would be left in a perpetual state of insecurity.
Why OT Used To Be All Right
Like evaluating natural disasters in the Malthus era, considering the security of critical infrastructure before the internet was largely unscientific. The systems that powered our critical infrastructure were built in an era when physical security was the primary concern. The attack surface was clear. Critical sites were geographically segregated, with strong perimeter defenses. Staff were trained to follow strict procedures, governed by policies often dictated by government agencies. Barring occasional human error, environmental impact or military threat to the physical sites, time wore on with operations that went mostly undisturbed.
Enter The Internet
For companies and governments that began to operate OT, they rightfully focused on segregating the networks of critical infrastructure from their corporate operations, which were rapidly disrupted through digital transformation. As software ate the modern corporation, OT remained logically and physically separate from those internet-connected networks. Productivity benefits from internet-connected software and services would eventually spread to OT. Only in the last several years has the imperative to connect OT to the internet become strong enough to warrant a new approach to security.
So, What’s The Strategy?
Much of the OT world still maintains the segregation approach, and for good reason. Our essential services run like clockwork -- for the most part. And the disruption to modern OT is still in its infancy. But preparing for a new connected OT future requires careful planning and flawless execution to ensure the consistent delivery of the services that we deem critical.
In the same way that the awareness of climate change is amplified by the frequency and severity of natural disasters, sadly, the security world only stirs from its slumber when a significant hack or service disruption occurs. Those monumental, headline-worthy breaches are the Malthusian Checks of the 21st century. Thankfully, the watershed data breach that impacts OT environments and therefore our critical infrastructure has yet to take place. This is due to a combination of luck, traditional OT segregation controls and the early stages of internet disruption in OT.
Maybe Malthus Was Right When It Comes To OT
The clear parallel between environmental changes and technology innovation is that awareness is tied to visible public events with grand philosophical theories to explain them. While it’s clear that natural disasters are not a population control mechanism, per se, we can understand the science behind how our living ecosystem reacts to stimuli. Similarly, OT networks that run our critical infrastructure must be carefully assessed and secured in light of the ongoing load that internet disruption brings to them. Some tools already exist to approach OT security in a meaningful and differentiated manner, like the SANS Institute's Industrial Control System Cyber Kill Chain and the NIST Cybersecurity for IoT Program.
Let’s hope that it doesn’t take more Malthusian Checks in the form of OT breaches to awaken us to the differentiated security approach required to protect our critical infrastructure.
Original post on forbes.com