The operators of critical national infrastructure (CNI) are in an unenviable position, between the devil and the deep blue sea, as two very different worlds collide.
Most critical infrastructure was built up over a century or more of careful, incremental steps by civil engineers, and they focused on the primary threat they faced – lack of availability.
If you deliver power, water, or anything else that lives depend on, you focus your attention on making sure the service is never interrupted.
You think through scenarios such as natural disasters, extreme weather, even longer-term risks such as climate change. It’s always you against Murphy’s Law – you assume each element will eventually fail, and so you build in double or triple redundancy.
Above all else, the service must stay up, in the face of whatever brute equipment failures or dumb luck with weather comes along. When the enemy is just Murphy’s Law, then you can plan – weather and equipment failures are relentless, but they aren’t malicious, and they aren’t trying to trick you.
Nature of the threat has changed
But now all our CNI is online, and the internet is a very different place. The threat isn’t mindless weather – it’s people, and there are an awful lot of them.
Consider, for a moment, what it means to build a network for seven and a half billion people. Of those people, who are the most malicious? Who are the most motivated, either through boredom or devious intent? Who are the savviest?
Even if 99% of people are no threat, that still leaves over 70 million who are, and even if only one in a million of those is a cyber genius, that’s still quite a lot of clever, connected, motivated people who can do you harm.
These numbers, of course, aren’t hard estimates of how many attackers we face – they just bring home that the internet is full of people, and lots of them, which is a very different kind of threat from, say, natural disasters.
People are tricky – they deceive, they adapt, they overcome. They aren’t like natural disasters or weather – they are far harder to predict, and they go out of their way to avoid detection.
More than a mind-shift
This is more than just a mind-shift from Murphy’s Law to the Law of the Jungle. It’s harder than that, because the very controls we put in place for the old offline world are now becoming the problem.
Take the recent attack on a water treatment plant in Florida – why was that system open to attack? It was open because it was designed for high availability.
The attacker used a shared access terminal, opened up so that plant staff could log in and control things even if they couldn’t be there physically. That is, the attack pathway was a deliberately built system, used to increase availability.
This is the great trade-off – all the things you build into CNI to make sure you can always, always deliver your critical service are the very things that the attackers in the online world exploit.
This is the choice between the devil and the deep blue sea – if you use online resources to give you control, for example so that you can still do your job during a pandemic when you need to work from home, those same online pathways will increase your attack surface, and the first law of internet security is that every defensive gap will be exploited eventually.
Keeping the internet out of your control systems is harder than keeping ants out of your kitchen – they are persistent, and will find even the tiniest gaps.
All hope is not lost
So is all hope lost? Far from it. It is possible to bring CNI into the digital world in secure ways, but the inconvenient truth is that it’s hard to keep it secure.
Building in a secure way is hard enough, but stopping network drift is even harder – in a complex environment, unexpected interactions are commonplace, and the as-built and as-operated network slowly drifts away from the as-designed.
Understanding complex networks is not a great job for human defenders – we are too linear in our thinking. Humans are good at strategy, but weak on checking all the details of complex, interacting defences – that’s a better job for machines.
The goal in defending CNI is to combine human strategic awareness with unceasing review of the technical details, using automation.
Computers do not understand our overarching objectives, but they can scan for defensive gaps, and show how the infinite number of monkeys on the internet can infiltrate and damage our operations.
It then falls to us to do something with that information, in a timely and effective manner.