With the recent cyberattack on the Colonial Pipeline leaving much of the East Coast without gasoline during the six-day outage, it’s long past due to conduct a vulnerability assessment of the country’s critical infrastructures.
Significant cyberattacks in the past decade include the Equifax breach of 147 million records (almost 42% of the U.S. population) in 2017, a breach of 22.1 million records of the U.S. Office of Personnel Management in 2015, and the possible theft of about 37.5 million Anthem Blue Cross medical records in 2015.
So far, the United States has managed to hinder attacks on water systems and electric grids, but how long will this last as attacks become more sophisticated and resourceful?
I have been telling my students at Regis University for years that the next war launched against the U.S. will not be a military attack but a massive cyberattack, and it appears we’re seeing the beginnings of these events.
We must re-evaluate our critical infrastructures that, if attacked, could paralyze our country. These critical infrastructures include power grids, water supplies, nuclear facilities, telecommunication systems and supply chains but could include other critical services and systems.
Once these infrastructures are identified, we need to determine their boundaries. Every circuit, connection, switch and router must be assessed to determine its network boundary. We need to know where every connection leads and isolate each connection. The purpose is to ensure we know the complete system and to prevent any rogue connections that would allow an attacker to gain access.
Under President Joe Biden’s infrastructure plan, funding must be appropriated to re-establish these infrastructures as closed networks. In other words, these infrastructures need to consist of private operation centers, ensuring that all communication mainlines (called “trunks”) and circuits, switches and routers are closed, self-contained and maintained.
They need to be provided a level of security that mirrors that of the most secure U.S. government networks that maintain our highest level of classified data and information.
U.S. infrastructures need to become controlled, private networks without any public or commercial infrastructure or connections, which would eliminate the external threat. No external source could hack into such a secured environment.
With such protections in place, only an attack initiated from inside the company or agency could result. With sufficient monitoring tools, the attacker could easily be caught.
The key here is to ensure that all critical infrastructure equipment and devices are internally controlled: There would be no internet connections or the use of public carrier mainlines and switches. It’d preclude using a home computer, smartphone or any other device that has access to the internet or has any wireless capability. All devices would be owned and used solely by each respective infrastructure operation.
Additionally, redundancy and backups need to be built into our infrastructures’ architecture, so that if one grid, section, or component fails, another area seamlessly takes over the operation until the primary units are brought back online.
Finally, we need to continuously monitor all these infrastructure systems for anomalies, so swift and protective measures could be deployed immediately.
Will this have a sizable price tag for the U.S. government and businesses? You bet. However, with all the political and controversial spending that Congress approves, we ought to be able to spend what it takes to protect our country, our people and our way of life.
The U.S. already spends more than a trillion dollars on traditional national security measures; the federal government must include protecting our critical infrastructures in its defense budgets.
Do we want to be proactive and ensure the protection of critical infrastructures or do we want to spend at least three times more in cleanup costs after a catastrophic event that could affect — even harm — millions of Americans?
This predicament is not new. The age-old argument of convenience vs. security comes into play. Recall the adage “an ounce of prevention is worth a pound of cure.”
I hope our nation sees clearly that prevention is the safest way forward.
Bob Bowles is the director of the Center for Information Assurance Studies at Regis University in Denver, and a Certified Information Systems Security Professional with over 30 years of cybersecurity experience.