Embeddedadvisor
US
APAC
EUROPE
  • Home
  • Insights
  • Whitepaper
  • Conferences
  • Newsletter
  • Subscribe
  • News
  • About us
Go to...
  • Home
  • Insights
  • Whitepaper
  • Conferences
  • Newsletter
  • Subscribe
  • News
  • About us
  • Categories

  • IP Design
  • Telecom
  • Wearables and Sensor
  • Consumer Electronics
  • IoT
  • More
      • Industrial Computing
Go to...
  • Categories

  • IP Design
  • Telecom
  • Wearables/Sensor
  • Consumer Electronics
  • IoT
  • Industrial Computing
×
#

Embedded Advisor Weekly Brief

Be first to read the latest tech news, Industry Leader's Insights, and CIO interviews of medium and large enterprises exclusively from Embedded Advisor

Subscribe

loading

THANK YOU FOR SUBSCRIBING

  • Home
  • Insights
  • PCB Design and Engineering
Editor's Pick(1 - 4 of 8)
left
ECM - Ease of Storage is the New Challenge

Douglas Duncan, CIO, Columbia Insurance Group

The Inflight Connectivity Conundrum

Chris Moore, Former EVP & CIO, Sun Country Airlines and CIO Consultant, Freelance Consulting

Hiding in Plain Sight: The DNA Molecule as Next-Generation Cyber-Physical Network Security

Judy Murrah, CIO, Applied DNA Sciences Inc

Telecom's Top 6 Trends: What You Should Know

Cam Ewoldt, Manager, Transport Networks, Great Plains Communications

What's New in PCB Design? Time to Explore the Low End of the EDA Tool Market written for Embedded Advisor

Randall Restle, Digi-Key Electronics Vice President, Applications Engineering

The Growing Importance of Supply Chain Collaboration in Life Science

Gustavo Salem, Group President, IDEX Health & Science LLC

Chained to Your Desk? Not Anymore, Thanks to Workplace Technology

Mike Marusic, COO, Sharp Electronics Corporation [TYO:6753]

Next Generation MFPs

Matt Smith, VP, Printing Solutions, Samsung Electronics America

right

Critical Infrastructure Cyber Protection: Stronger Deterrence Helps but Isolation and Mitigation Are Essential

By Bruce J. Heiman, Partner ‑ Public Policy and Law, K&L Gates

Tweet

Bruce J. Heiman, Partner ‑ Public Policy and Law, K&L Gates

On September 20, 2018, President Trump signed the National Cyber Strategy of the United States. The Strategy has four pillars, the first of which is to protect the American people, the homeland and the American way of life. Securing critical infrastructure is a key component of that effort. That strategy recognizes that information and communications technology underlies every sector in America and calls for managing cyber security risks to increase the security and resilience of the nation’s information and information systems.

The May 2017 Presidential Policy Directive 21 sets forth 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. The National Cyber Strategy states that the government will use a risk-management approach to “mitigating vulnerabilities to raise the base level of cybersecurity across critical infrastructure. We simultaneously use a consequence-driven approach to prioritize actions that reduce the potential that the most advanced adversaries could cause large-scale or long-duration disruptions to critical infrastructure.” The Administration will prioritize risk-reduction activities across seven key areas: “national security, energy and power, banking and finance, health and safety, communications, information technology, and transportation.”

Such a focus is fully justified in that selected facilities make attractive targets given that any attack would likely have huge impact with significant externalities. The National Cyber Strategy appropriately continues to rely on government-private sector cooperation and coordination and utilizes best industry practices developed in the global marketplace. Nevertheless, increased government attention to these sectors is also appropriate given they tend to be concentrated in fewer number of larger firms, nearly all of which have previously established relationships with the government, and are often currently regulated. Moreover, critical infrastructure sectors (and their industrial control systems) are today connected to public communication and internet infrastructures that while greatly improving efficiencies and effectiveness, also dramatically increase vulnerabilities.

One important way in which the government proposes to increase protection is through greater deterrence: “We will also deter malicious cyber actors by imposing costs on them and their sponsors by leveraging a range of tools, including but not limited to prosecutions and economic sanctions, is part of a broader deterrence strategy.” Thus on the same day that the President signed the Strategy, the Trump Administration also adopted a new classified Presidential directive authorizing “offensive cyber operations” against U.S. adversaries, which would allow the military and other agencies to undertake those actions necessary to protect the impacted systems and the nation’s critical networks. The new policy also permits speedier action by those closer to the situation unless these measures would result in death, destruction, or significant economic impacts.

Deterring an attack in the first place is clearly the best outcome. But it would be foolish to expect that all attacks will cease. Indeed, the government’s actions to increase deterrence come after repeated calls for industry to improve its defenses. Such steps range from the most simple such as ensuring passwords are regularly changed to cutting-edge deployment of artificial intelligence that are able to recognize in-real time new malware not previously identified.

"Critical infrastructure sectors (and their industrial control systems) are today connected to public communication and internet infrastructures that while greatly improving efficiencies and effectiveness, also dramatically increase vulnerabilities."

But the old adage remains: defenders have to be right every time—an attacker only once. Those seeking to do harm have access to many of the same cutting edge technologies available to defenders. It would be reckless to assume that in the future our adversaries will be completely deterred or be rendered unsuccessful in penetrating our defenses.

The question therefore becomes what to do next? We need to adopt a different paradigm that acknowledges successful attacks will occur despite the government’s efforts at deterrence and industry’s best efforts at prevention. It is time that industry gives greater priority to isolating and mitigating damage as well as facilitating recovery. These usually are defined under the rubric of improving the resiliency of systems. With critical infrastructure, our fault tolerance is quite limited.

Greater attention needs to be paid to designing cyber “fail-safes” that anticipate breaches and respond in a way that minimizes harm. Admittedly this is particularly difficult in systems where continuous reliability is needed, but that clearly illustrates that even greater effort is required.

We’re all familiar with mechanical or physical fail safes—airport luggage carts, lawn mowers, and snow blowers that stop whenever a control lever is released. Similarly air brakes on railway trains, elevator brakes, and isolation/control valves are designed to intercept when system failures occur. Some examples of electronic devices include circuit breakers and industrial alarms. And perhaps front and center in the public consciousness are nuclear reactor control rod automatic shutdowns.

Note that this is not intended to resurrect an internet “kill switch” as some feared was proposed by legislation in 2010, and that would have authorized the President to issue mandatory orders and directives to critical infrastructure systems if a “cyber emergency” was declared. Rather it is a call to the owners and operators of our critical infrastructure, and the developers of the programs they rely upon, to highlight and adopt technologies and automatic processes for isolation and mitigation in the event of an attack.

tag

Information Technology

Artificial Intelligence

Read Also

What's New in PCB Design? Time to Explore the Low End of the EDA Tool Market written for Embedded Advisor

What's New in PCB Design? Time to Explore the Low End of the EDA Tool Market written for Embedded Advisor

Randall Restle, Digi-Key Electronics Vice President, Applications Engineering
The Growing Importance of Supply Chain Collaboration in Life Science

The Growing Importance of Supply Chain Collaboration in Life Science

Gustavo Salem, Group President, IDEX Health & Science LLC
Chained to Your Desk? Not Anymore, Thanks to Workplace Technology

Chained to Your Desk? Not Anymore, Thanks to Workplace Technology

Mike Marusic, COO, Sharp Electronics Corporation [TYO:6753]
Next Generation MFPs

Next Generation MFPs

Matt Smith, VP, Printing Solutions, Samsung Electronics America

Weekly Brief

loading
Top 10 PCB Design and Engineering Solution Companies - 2019

PCB Design and Engineering Special

Featured Vendors

  • ACS Design: Simple, Elegant Electronic Designs
    ACS Design: Simple, Elegant Electronic Designs
  • DISHER: Creating a Positive Ripple in the PCB Industry
    DISHER: Creating a Positive Ripple in the PCB Industry
  • PARPRO: A One-Stop Shop for Design in Manufacturing
    PARPRO: A One-Stop Shop for Design in Manufacturing
  • Sunstone Circuits: Redefining Customer-Centricity in the PCB Landscape
    Sunstone Circuits: Redefining Customer-Centricity in the PCB Landscape

I agree We use cookies on this website to enhance your user experience. By clicking any link on this page you are giving your consent for us to set cookies. More info

Copyright © 2021 Embedded Advisor. All rights reserved. Registration on or use of this site constitutes acceptance of our Terms of Use and Privacy Policy.
follow on linkedin follow on twitter
This content is copyright protected

However, if you would like to share the information in this article, you may use the link below:

pcb-design-and-engineering.embeddedadvisor.com/cxoinsights/critical-infrastructure-cyber-protection-stronger-deterrence-helps-but-isolation-and-mitigation-are-essential-nid-273.html