Bridging the Gaps

Security experts nervously eye critical infrastructure that is increasingly vulnerable to failure and sabotage.

After the bridge carrying Interstate 35W across the Mississippi River in Minneapolis collapsed on Aug. 1, 2007, during the evening rush hour, killing 11 people and injuring more than 100, there was a lot of hand-wringing about the state of the country's infrastructure. The American Society of Civil Engineers estimates the nation has to invest $1.6 trillion over a five-year period just to bring bridges, roads, waterways, dams, and water and sewage systems up to par. More than 160,000 bridges alone are in need of repair.

But those numbers mask an even deeper problem with the nation's infrastructure, security professionals say. The growing interdependence of various economic sectors-banking, energy, transportation and others-and vulnerabilities in the electronic bridges that link them are exposing Americans to ever more serious threats.

If a bridge collapse in the middle of the country appears to be a local tragedy (and regional transportation headache) but not a national threat, consider what happened when a tree branch fell onto electric transmission lines in Ohio in August 2003. The subsequent local power failure triggered a massive blackout across much of the Midwest and Northeast and Ontario, Canada. More than 50 million people lost power and much of the affected area was out for days. More than 100 power plants, 22 of them nuclear facilities, shut down. Officials in the United States and Canada estimated economic losses at $6 billion.

The main cause of all this turmoil? First Energy Corp.'s failure to trim trees in the path of its transmission lines, according to the 2004 final report of the U.S. Canada Power Systems Outage Task Force.

"Critical infrastructure is overworked, out of date and crumbling in so many ways," says Richard Cooper, formerly the business liaison director for the Homeland Security Department's Private Sector Office and now a principal at the Washington-based public relations firm Olive, Edwards and Cooper.

But the biggest vulnerability, Cooper believes, is in the computer systems and networks that undergird all that vital physical infrastructure. "The cyber piece has become the central nervous system to everything else. One person at the stroke of a key can literally send infrastructure into a tailspin. We look at weapons of mass destruction as things that can cause a lot of carnage. I would argue there are people capable of creating [the same kind of] effects with the stroke of a key."

In January, Tom Donahue, a CIA cybersecurity analyst, created a stir at the Process Control and Security Summit, a meeting in New Orleans of utility industry engineers and security managers, when he described at least two cases in which hackers had infiltrated electric utility networks outside the United States to create power outages in schemes to extort money from foreign governments.

Casey Potenzone, who attended the briefing as the chief information officer at Uniloc USA, a technology security company in Irvine, Calif., says government needs to be working with industry to establish security standards that go beyond traditional stovepipes. This is especially an issue at the municipal level, where the business focus has been on improving efficiency and public access to information by linking formerly closed technology systems to the Internet, he says.

"When you look at the capacity for disruption, it's huge," says Potenzone. He cites the case of two high-ranking transportation engineers in the Los Angeles automated traffic surveillance center now facing felony charges stemming from unauthorized access to the city's computer system in the fall of 2006. On the eve of a transportation workers strike, they allegedly tampered with signal settings at busy intersections to create traffic chaos unprecedented even in Los Angeles. It reportedly took authorities four days to undo the damage.

While Homeland Security and other federal agencies have been working with industry leaders to shore up critical infrastructure in specific sectors, such as energy, transportation, agriculture and banking (a year ago this month DHS issued 17 sector-specific plans to improve infrastructure protection), networked municipal-level systems have largely remained out of the loop, Potenzone says: "These are traditional engineers serving their communities. They aren't hard-core IT [professionals]."

Potenzone believes the government should impose security standards as a condition for receiving federal money: "You should not be able to accept federal funds, process taxpayer records, if you don't follow certain standards."

Standards are an important part of the solution, Cooper agrees, but notes that changes in technology generally outpace the ability of standards-setting bodies to adopt rules. "I think the biggest difficulty you have with standards associated with any infrastructure is the length of time it takes to get them assembled, approved and out. Most standards literally take years. It's not a process for the impatient," he says. For standards to be effective, "they've got to be on the fast track."

In addition, Cooper and others advocate the need for greater resiliency-the ability to bounce back from a crisis-among critical infrastructure operators in both the public and corporate realms. Resiliency is achieved by developing viable continuity of operations plans and alternative business operations that can be used in a crisis, whether that's a natural disaster or a terrorist attack. Darryl Moody, president and chief operating officer of Resilient Corp. in Washington, says, "The nation must accept that 100 percent protection and security is unattainable, but maximizing resiliency is a must."

Insurance companies, credit rating organizations, shareholders and other entities need to begin measuring and demanding resiliency, Cooper says. In the meantime, the nation is taking a huge gamble by failing to address the risk inherent in its aging infrastructure, he says: "We're hoping the cards come up the way we want, but at some point we're going to lose our shirt, if not more."

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
FROM OUR SPONSORS
JOIN THE DISCUSSION
Close [ x ] More from GovExec
 
 

Thank you for subscribing to newsletters from GovExec.com.
We think these reports might interest you:

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Cyber Risk Report: Cybercrime Trends from 2016

    In our first half 2016 cyber trends report, SurfWatch Labs threat intelligence analysts noted one key theme – the interconnected nature of cybercrime – and the second half of the year saw organizations continuing to struggle with that reality. The number of potential cyber threats, the pool of already compromised information, and the ease of finding increasingly sophisticated cybercriminal tools continued to snowball throughout the year.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • GBC Issue Brief: The Future of 9-1-1

    A Look Into the Next Generation of Emergency Services

    Download
  • GBC Survey Report: Securing the Perimeters

    A candid survey on cybersecurity in state and local governments

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download
  • eBook: State & Local Cybersecurity

    CenturyLink is committed to helping state and local governments meet their cybersecurity challenges. Towards that end, CenturyLink commissioned a study from the Government Business Council that looked at the perceptions, attitudes and experiences of state and local leaders around the cybersecurity issue. The results were surprising in a number of ways. Learn more about their findings and the ways in which state and local governments can combat cybersecurity threats with this eBook.

    Download

When you download a report, your information may be shared with the underwriters of that document.