“The title of this panel is ‘Critical Infrastructure Vulnerability: Real or Imagined?’” said Foye. “Spoiler alert: the answer is it’s real. It’s really serious, deadly serious.”
Foye said the vulnerability is an issue for every organization in the country—small, medium, and large. He said his own experience heading up the Port Authority of New York and New Jersey exposed him to the dangers and he continues to deal with them at the MTA.
He asked panelists what is the likelihood that some part of the nation’s critical infrastructure will be hacked in the next 36 months and the public will be denied access to electricity, public transit, water, or even their bank accounts.
“One hundred percent,” said Robert Galvin, chief technology officer of Port Authority of New York and New Jersey.
Jargon Must Go
Donna Dodson, Ph.D., chief cybersecurity advisor of the National Institute of Standards and Technology, stressed the need for tech experts to articulate the risks to the various sectors that they serve in language that they understand. She said it falls to those in the scientific and public infrastructure settings to begin to break silos and start speaking in layman’s terms so everyone can comprehend current threats, she said.
“We all have to get better, not cyber people talk to cyber people using 120 acronyms,” she said, noting that every agency, city hall, statehouse, and infrastructure agency uses its own set of letters that mean something to them alone. “If we’re really going to work with these organizations then we need to understand their use of terms, words, and jargons.”
She recalled a recent conversation with her own team about the Internet of things in a medical setting. A tech veteran, she said that when she heard the acronym ‘PAC,’ she assumed it meant Physical Access Control, when in actuality her team was talking about Picture Archive and Communication Systems (PACS) in radiology.
“It’s important to understand the environment and not force cyber to talk cyber and have everyone’s eyes glaze over,” she said.
Michael R. Singer, AVP of technology security at AT&T, agreed that in the process of designing resilience into tech systems “it’s important to be in touch on the human side. You need to continue to invest in your management capabilities.”
Glory, Not Money, as Motive
Gavin noted that the motivations to attack public sector infrastructure is rarely the same as in the commercial sector, where the primary motivator is money.
“In the public sphere it’s not data, but to make a name yourself, it’s ‘I’d love to be able to take over a train or the signage over the George Washington Bridge,’” he said.
He added the tech community could learn a lot from the engineering disciplines, which have been working together for hundreds of years.
“We have to come together as two different disciplines,” he said.
Cooperation is Key
Ben Miller, VP of threat operations at Dragos, concurred. He said that while most of the focus has been on the architecture behind systems to strengthen and fend off attacks, of equal importance is the staff that monitors the system through operational technology (OT). He said such defense cannot be shouldered by IT teams alone, it must include OT engineers who understand how the respective systems work, whether its water supplies or electrical grids.
“The fact that people think of technology in terms of smartphones and the computer at their desk is a real problem for us,” he said. “The plumbers, the electricians, the facility managers, all the people who are out doing work in industrial control systems don’t think of them as computers.”
He said OT systems can be hacked and that can shut down the facilities. Until OT engineers think of their systems as computers, then efforts to warn of cyber dangers fall flat. And, he said, the only way for IT people really understand what is going on is to go out become familiar with the work of OT.
Miller concurred and reiterated Dodson’s point on communication, particularly in educating the general public in terms they can understand. He cited the scientific community’s concerted effort to educate the public about the dangers of global warming as a model for the cybersecurity industry.
‘It Isn’t Magic’
“They [the scientists]embarked on a campaign; we need a similar effort in terms of tech, we need to teach everyone a little bit in terms they can understand,” he said. “For too long there’s been a guy in a black turtleneck sweater standing up saying ‘It is magic.’ It isn’t magic. It’s protocols, engineering, software, and hardware that’s all it is.”