Bridging the Gaps

Security experts nervously eye critical infrastructure that is increasingly vulnerable to failure and sabotage.

After the bridge carrying Interstate 35W across the Mississippi River in Minneapolis collapsed on Aug. 1, 2007, during the evening rush hour, killing 11 people and injuring more than 100, there was a lot of hand-wringing about the state of the country's infrastructure. The American Society of Civil Engineers estimates the nation has to invest $1.6 trillion over a five-year period just to bring bridges, roads, waterways, dams, and water and sewage systems up to par. More than 160,000 bridges alone are in need of repair.

But those numbers mask an even deeper problem with the nation's infrastructure, security professionals say. The growing interdependence of various economic sectors-banking, energy, transportation and others-and vulnerabilities in the electronic bridges that link them are exposing Americans to ever more serious threats.

If a bridge collapse in the middle of the country appears to be a local tragedy (and regional transportation headache) but not a national threat, consider what happened when a tree branch fell onto electric transmission lines in Ohio in August 2003. The subsequent local power failure triggered a massive blackout across much of the Midwest and Northeast and Ontario, Canada. More than 50 million people lost power and much of the affected area was out for days. More than 100 power plants, 22 of them nuclear facilities, shut down. Officials in the United States and Canada estimated economic losses at $6 billion.

The main cause of all this turmoil? First Energy Corp.'s failure to trim trees in the path of its transmission lines, according to the 2004 final report of the U.S. Canada Power Systems Outage Task Force.

"Critical infrastructure is overworked, out of date and crumbling in so many ways," says Richard Cooper, formerly the business liaison director for the Homeland Security Department's Private Sector Office and now a principal at the Washington-based public relations firm Olive, Edwards and Cooper.

But the biggest vulnerability, Cooper believes, is in the computer systems and networks that undergird all that vital physical infrastructure. "The cyber piece has become the central nervous system to everything else. One person at the stroke of a key can literally send infrastructure into a tailspin. We look at weapons of mass destruction as things that can cause a lot of carnage. I would argue there are people capable of creating [the same kind of] effects with the stroke of a key."

In January, Tom Donahue, a CIA cybersecurity analyst, created a stir at the Process Control and Security Summit, a meeting in New Orleans of utility industry engineers and security managers, when he described at least two cases in which hackers had infiltrated electric utility networks outside the United States to create power outages in schemes to extort money from foreign governments.

Casey Potenzone, who attended the briefing as the chief information officer at Uniloc USA, a technology security company in Irvine, Calif., says government needs to be working with industry to establish security standards that go beyond traditional stovepipes. This is especially an issue at the municipal level, where the business focus has been on improving efficiency and public access to information by linking formerly closed technology systems to the Internet, he says.

"When you look at the capacity for disruption, it's huge," says Potenzone. He cites the case of two high-ranking transportation engineers in the Los Angeles automated traffic surveillance center now facing felony charges stemming from unauthorized access to the city's computer system in the fall of 2006. On the eve of a transportation workers strike, they allegedly tampered with signal settings at busy intersections to create traffic chaos unprecedented even in Los Angeles. It reportedly took authorities four days to undo the damage.

While Homeland Security and other federal agencies have been working with industry leaders to shore up critical infrastructure in specific sectors, such as energy, transportation, agriculture and banking (a year ago this month DHS issued 17 sector-specific plans to improve infrastructure protection), networked municipal-level systems have largely remained out of the loop, Potenzone says: "These are traditional engineers serving their communities. They aren't hard-core IT [professionals]."

Potenzone believes the government should impose security standards as a condition for receiving federal money: "You should not be able to accept federal funds, process taxpayer records, if you don't follow certain standards."

Standards are an important part of the solution, Cooper agrees, but notes that changes in technology generally outpace the ability of standards-setting bodies to adopt rules. "I think the biggest difficulty you have with standards associated with any infrastructure is the length of time it takes to get them assembled, approved and out. Most standards literally take years. It's not a process for the impatient," he says. For standards to be effective, "they've got to be on the fast track."

In addition, Cooper and others advocate the need for greater resiliency-the ability to bounce back from a crisis-among critical infrastructure operators in both the public and corporate realms. Resiliency is achieved by developing viable continuity of operations plans and alternative business operations that can be used in a crisis, whether that's a natural disaster or a terrorist attack. Darryl Moody, president and chief operating officer of Resilient Corp. in Washington, says, "The nation must accept that 100 percent protection and security is unattainable, but maximizing resiliency is a must."

Insurance companies, credit rating organizations, shareholders and other entities need to begin measuring and demanding resiliency, Cooper says. In the meantime, the nation is taking a huge gamble by failing to address the risk inherent in its aging infrastructure, he says: "We're hoping the cards come up the way we want, but at some point we're going to lose our shirt, if not more."

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
FROM OUR SPONSORS
JOIN THE DISCUSSION
Close [ x ] More from GovExec
 
 

Thank you for subscribing to newsletters from GovExec.com.
We think these reports might interest you:

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • The Big Data Campaign Trail

    With everyone so focused on security following recent breaches at federal, state and local government and education institutions, there has been little emphasis on the need for better operations. This report breaks down some of the biggest operational challenges in IT management and provides insight into how agencies and leaders can successfully solve some of the biggest lingering government IT issues.

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download
  • Ongoing Efforts in Veterans Health Care Modernization

    This report discusses the current state of veterans health care

    Download

When you download a report, your information may be shared with the underwriters of that document.