U.S. Critical Infrastructure

Critical Infrastructures play a major role in American society. They are considered critical by the U.S. White House because they are essential to the everyday life functions of American Citizens. It is necessary to protect these critical infrastructures from outside cyber threats. If affected by a cyber threat, the threat could halt American life as we know it. The U.S. government is taking precautionary measures to protect these critical infrastructures. This article discusses the critical infrastructures, the readiness to protect them, compares the readiness to Japan, and relates the findings to my personal work experience in the IT industry.

The White House of the United States considers 16 sectors to be critical cyber infrastructures. These 16 sectors are Chemical, Commercial Facilities, Communication, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agricultures, Government Facilities, Healthcare and Public, Information Technology, Nuclear Reactors, Materials, and Water, Transportation Systems, and Water and Wastewater Systems. Each Sector was selectively chosen by the Department of Homeland Security (DHS) because they are essential to the proper functioning, economy, health, and safety of American society [2] and have a designated Sector Risk Management Agency.

The Department of Homeland Security is the designated Sector Risk Management Agency for the following critical infrastructure sectors: Chemical, Communications, Commercial Facilities, Critical Manufacturing, Dams, Emergency Services, Government Facilities, Information Technology, Nuclear Reactors, Materials and Waste and Transportation Systems [1]. The U.S. Department of Defense is the designated Sector Risk Management Agency for the Defense Industrial Base critical infrastructure sector [1]. The Department of Energy is the designated Risk Management Agency for the Energy Sector [1]. The Department of Treasury is the designated Risk Management Agency for the Financial Services Sector [1]. The Department of Agriculture and the Department of Health and Human Services are the designated Risk Management Agency’s for the Food and Agriculture Sector [1]. The Department of Health and Human Services is the designated Risk Management Agency for the Healthcare and Public Health Sector [1]. The Environmental Protection Agency is the designated Risk Management Agency for the Water and Wastewater Systems Sector [1]. Each Risk Management Agency has been tasked to identify, protect, detect, respond, and recover from cyber threats [2].

The individual critical infrastructure’s that support each sector play a critical role and are vital for the routine lives of American citizens [2]. Due to their critical role in American society, it is necessary to protect the critical infrastructures from cyber-attacks. If the critical infrastructures are disrupted, life as we know it could come to a halt and may threaten American Citizen’s lives or a states sovereignty [2]. The industry has made a few statements regarding the U.S. readiness to protect those listed infrastructures such as “To deal with terrorist threats, the government must engage in more deeply rooted collaboration with the private sector” [3]. Private firms have the incentive to fund risk management assessments for their individual vulnerabilities, but it is not enough. For many, the cost of reducing vulnerabilities is greater than the benefit of reduced cyber-attacks [3]. From 2010 to 2016, the number of cyber-attacks has increased exponentially. In 2010, it was recorded to have 39 cyber-attacks within the year [4]. In 2016, that number increased to 290 [4]. One of the recorded U.S. attacks was an information leak due to attacks targeting at U.S./Canada aero-defense firms/air carriers and energy businesses including EU ones [4]. The cause for this attack was a malware (Havex) infection of SCADA systems due to attacks by Dragonfly hacker group [4]. Dragonfly was able to infiltrate the energy companies by using phishing attempts [5]. To combat Dragonfly, private firms have invested in Multi-Factor authentication (MFA). Although MFA provides an extra blanket of security, it’s not enough. A few other precautionary methods that are now being considered are the validity of an employee’s device, next generation firewalls, and next generation IPS [5].

While working for a tech consulting company, many cyber-attack issues and concerns are regularly discussed. From January 2021 to September 2021, we have had three clients come to us for assistance to combat cyber-attacks. Company “A” underwent three phishing attempts, company “B” underwent one phishing attempt, and company “C” underwent a malware attack before seeking our assistance. To combat the phishing issues, my company has implemented and deployed a product called Duo Security. Duo Security provides MFA through user and device validation and protects every application the company wishes to protect. My company also conducts monthly phishing attempt tests to help strengthen the security of our client’s data. To combat the malware attempt, my company took extreme measures and reprogrammed, redeveloped, and re-networked an entire system. We worked diligently to set up new servers and move all the client’s data and application logic to new locations. Since our assistance, the three companies have not experienced a new cyber-attack.

The Presidential Policy Directive for Critical Infrastructure Security and Resilience (PPD) is an effort to unify, strengthen, and maintain secure, functioning and resilient infrastructure [6]. The PPD is a shared responsibility among the Federal, state, local, tribal, and territorial (SLTT) entities and public and private owners and operators of critical infrastructure [6]. The policy states “The Federal Government shall work with critical infrastructure owners and operators and SLTT entities to take proactive steps to manage risk and strengthen the security and resilience of the Nation’s critical infrastructure, considering all hazards that could have a debilitating impact on national security, economic stability, public health and safety, or any combination thereof. These efforts shall seek to reduce vulnerabilities, minimize consequences, identify and disrupt threats, and hasten response and recovery efforts related to critical infrastructure” [6]. There are three strategic imperatives that shall be driven by the Federal government: 1. Refine and clarify the relationships across the government to advance national unity, 2. Enable effective information exchange (e.g. data) and 3. Implement an integration analysis function to inform planning operations decisions [6]. With this in mind, the government has designated specific Risk Management Agency’s per critical infrastructure sector as mentioned above. Each Risk Management Agency has their own individual roles and responsibilities to help protect the critical infrastructures.

Japan’s Chief Cabinet Secretary Katsunobu Kato has outlined its 2021 cyber security plan which has been finalized by the special task force on cybersecurity strategies [7]. Kato instructed the members to “enhance defense, deterrence and assessment capabilities and strengthen cooperation among relevant bodies to protect security interests” [7]. In 2015 the National Centre of Incident Readiness and Strategy for Cyber Security (NISC) was created to serve as collaborative framework enhancing partnerships between the government, industries, and academia, and public and private sectors [7]. Since NISC’s creating, Japan has taken a few measures to combat cyber-attacks. Japan emphasizes the use of indigenous services and equipment and plans to make inexpensive, effective, and accessible security services and simple insurance products widely available [7]. Japan has also deployed its DX strategy which enables businesses innovation and incorporated digital technologies into their operational processes, products, solutions, and customer interactions. With this deployment, Japan seeks to provide IT or security knowledge to human recourses who may not have the necessary expertise [7]. Japan has also committed strength to enhance their Self Defense Forces and other government institutions which will help in detecting, identifying, and investigating the attackers [7]. Japan’s strategy calls for enhancing the Japan-US alliance by joining forces with the Japanese Self Defense Forces and US Forces [7]. This initiative also seeks to secure safety of key infrastructure for overseas communications such as submarine communication by joining forces with the Indo-Pacific region, including members of the Association of the Southeast Asian Nations (ASEAN) [7].

Japan is taking similar initiatives as the U.S. when combating cyber-attacks. With Japan’s proposed initiatives and the current U.S. initiatives in place, together the alliance can proactively deter cyber-threats and attacks. Cyber attacks and threats are non- discriminatory, the malicious intent by outside enemies is affecting U.S. citizens and the lives of our fellow allies. This an important factor, due to the trade and foreign polices that are currently in place. Our lives are intertwined and dependent of one another on a global scale. Collectively, private firms, IT personnel, and Federal, and foreign government alliances should work in a partnership to protect critical infrastructures. It is a necessary measure since critical infrastructures are essential to the proper functioning, economy, health, and safety of American society. Together we have a responsibility to protect our citizen’s livelihood. Analyze the Whitehouse actions and recommendations to fortify the U.S. critical infrastructure. Compare U.S. cybersecurity readiness to that of another country.

Resources:

[1] Cybersecurity & Infrastructure Security Agency. (October 21, 2020). Cyber Infrastructure Sectors. Retrieved from Cybersecurity & Infrastructure Security Agency https://www.cisa.gov/critical-infrastructure-sectors

[2] Tripwire Guest Authors. (May 31, 2021). U.S. Critical Infrastructure: Addressing Cyber Threats and the Importance of Prevention. Retrieved from The State of Security https://www.tripwire.com/state-of-security/featured/critical-infrastructure-addressing-cyber-threats-importance-of-prevention/

[3] P. Auerswald, L. Branscomb, T. La Porte, E. Michel-Kerjan. (2005). The Challenge of Protecting Critical Infrastructure. Retrieved from Issues in Science and Technology https://issues.org/auerswald/

[4] N. Mutsuo, U. Hirofumi. (n.d.) An Analysis of the Actual Status of Recent Cyberattacks on Critical Infrastructures. Retrieved from NEC https://www.nec.com/en/global/techrep/journal/g17/n02/170204.html

[5] S. Bitchkei. (September 14, 2017). Dragonfly 2.0 Targets Energy Sector Gaining Access to SCADA Systems. Retrieved from Hitachi https://hitachi-systems-security.com/dragonfly-2-0-targets-energy-sector-gaining-access-to-scada-systems/

[6] Office of the Press Secretary. (February 12, 2013). Presidential Policy Directive – Critical Infrastructure Security and Resilience. Retrieved from the White House https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil

[7] S. Pradhan. (August 6, 2021). Japan’s new cyber security strategy: Significant dimensions. Retrieved from The Times of India https://timesofindia.indiatimes.com/blogs/ChanakyaCode/japans-new-cyber-security-strategy-significant-dimensions/