Critical Infrastructure Security, Resilience, and the Internet of Systems – A U.S. Perspective
Scott W. Tousley
U.S. Department of Homeland Security
Scott Tousley is the Deputy Director of the Cybersecurity Division, a part of the Department of Homeland Security (DHS) Science & Technology organization. He helps lead over 40 personnel and holds around $90 million annual research portfolio focused on many aspects of cybersecurity, supporting DHS Components, other government agencies and organizations, and national critical infrastructure sectors. Key areas of this RDT&E portfolio address Cyber Forensics, Insider Threat and Anonymous Networks and Currencies; Cyber-Physical systems and the “Internet of Things”; Mobile Systems cybersecurity; Software Security and Assurance; Critical Infrastructure Security and Resilience; Identity and Privacy; Cybersecurity Education and Training; and many other areas. Working with NIST/Sokwoo Rhee, Scott is helping to lead the GCTC Smart and Secure Cities and Communities Challenge. He served twenty years as an Army officer in the Corps of Engineers, many of these years in interagency technology programs, including the InitialWatch/Warning Unit Chief of the FBI/National Infrastructure Protection Center, part of the Clinton administration’s early engagement with national cybersecurity challenges. His experience also includes managing the operations security team for a large Internet Service Provider, principal with a technology start-up company in the private sector, and program manager for MITRE support to the DHS National Cybersecurity Division. He holds graduate degrees in nuclear engineering from Texas A&M, and national security strategy from the Army Command & Staff College. Mr. Tousley has served ten years with DHS, principally with S&T but also with the Domestic Nuclear Detection Office and several other parts of DHS.
Pervasive and still-growing global connectivity continues to shape and change our world, our economies, our societies, and many elements of human behavior. Along with devices and their software and applications, the underlying infrastructure and critical infrastructure enabling this connectivity continues to grow in both size and complexity, driven by societal and economic demand and innovation. Most elements of this growing “Internet of systems” remains vulnerable to attack, which means all nations and organizations must consider the growing risks present in an ongoing environment of growth and vulnerability. The United States faces perhaps the largest challenge from these risks because of its size and advanced technological and social complexity. Its challenges are reflected elsewhere, in countries such as the United Kingdom, Sweden, the Netherlands, Israel, South Korea, Japan, Australia—and Germany. In this area of challenge—securing the growing Internet of systems—both the United States and Germany should understand and learn from each other because valuable lessons can be drawn in both directions.
This author sees the foundational challenge as the weak and inconsistent quality of many areas of the Internet of systems—design, implementation, operations, awareness, training, etc. Most areas are not good enough or fit enough for their growing economic and social purposes. We also do not have a realistic option of replacing major areas and elements, so we face the most difficult challenge of raising the quality of what we have and operate now, and of steadily building a strong culture of the growing Internet of systems quality. Different countries may find different ways of improving their Internet of systems quality, so we should all look for successes wherever they may be, and it may be that the long-standing reputation for German industrial efficiency and quality can show us ways of how to improve.
In 2013, the U.S. government published major new guidance (Executive Order 13636/Presidential Policy Directive 21) addressing Critical Infrastructure Security and Resilience (CISR). This generated a 2015 National CISR Research and Development Plan, and the five priority areas identified in this plan provide good insight to how we might build up the quality of our Internet of systems and Critical Infrastructure. These include: foundational understanding of critical infrastructure systems and systems dynamics; integrated and scalable risk assessment and management approaches; integrated/proactive capabilities, technologies, and methods for secure and resilient infrastructure; leveraging data sciences for stronger situational awareness and actions consequences; and building a cross-cutting culture of CISR R&D collaboration.
This final priority area of cross-cutting culture is very important, for two reasons. First, the Internet of systems is impacting every area of our economics and societies, including communications, power, health care, transportation, and government, so every area is seeing a cross-cutting culture of change. And second, education is also a foundational element of the long-term evolution of the Internet of systems challenge. Successful education and training and cultural change are necessarily intertwined.
The Internet of systems is impacting every area of our economics and societies, including communications, power, health care, transportation, and government, so every area is seeing a cross-cutting culture of change.
Another major element of the EO13636/PPD-21 guidance was for NIST to lead development of a Cybersecurity Risk Framework that can help all the different critical infrastructure areas engage their growing risk management challenges. This framework was completed and has been recently updated and has provided a common foundational approach for different critical infrastructure “sectors”, including electricity, transportation, health care, and communications to raise the quality of their risk management. The framework approach has helped many different critical infrastructure sectors and organizations strengthen their risk management of critical infrastructure security and resilience. However, this approach is not the end of what is needed, because the risk management challenge grows ever more complex, from (A) the growing degree of mobility of the various systems and components, (B) the still-growing complexity and resilience uncertainty of the Internet of systems, and (C) the challenge of managing connected efforts of complex systems design, operations, safety, and security. Some of the recurring difficulties in strengthening our critical infrastructure risk management capabilities include different architectural approaches, strategies, and implementations, so risk management across different critical infrastructure areas and systems remains less standardized than hand-crafted. Second, software quality remains inconsistent and often weak, and every critical infrastructure system is foundationally dependent on the software that operates and secures it. Third, there are difficulties of resiliency, both focusing on known, chronic difficulties versus real vulnerabilities and risks that manifest only occasionally.
For several years, the National Institute of Standards and Technology (NIST) has been coordinating the Global Cities Team Challenge (GCTC), supporting a cross-flow of ideas and experiences for how cities and communities throughout the country (and internationally) have been addressing the Internet of systems challenge across their cities and communities. There are clear connections between critical infrastructure security and resilience, and the security and quality of how cities and communities are growing and leveraging these capabilities. But it is interesting to note that the initial years of the GCTC effort generated little focus or insight about how “smart cities and communities” could be secured, made resilient, and support privacy considerations. This is why the current year GCTC program, guided by NIST and DHS Science & Technology, is focused on the Security and Privacy of Smart Cities and Communities nationwide, again showing the pervasive challenges of the Internet of networks.
Another key challenge is that of the public-private partnership. Most areas of the critical infrastructure security and resilience problem operate astride public and private sector organizations, rather than one or the other. Threats, protection, monitoring, response, and recovery are almost all combinations of public and private sector efforts, against both chronic and infrequent areas of the challenge. However, the foundational motivations of public and private organizations remain different (stability versus profit, as one version), and combination public and private organizations are still early in their development and a small part of our current capabilities. So the public/private organizational construct may remain somewhat limited for some time as a source of capabilities against our Internet of systems challenges.
Threats, protection, monitoring, response, and recovery are almost all combinations of public and private sector efforts, against both chronic and infrequent areas of the challenge.
In many problem areas, we see very real challenges that go by names such as counterintuitive, wild cards, paradoxes, etc. Our Internet of systems and CISR challenges are this way also. Strategies of structure and compliance collide with instincts to innovate and “hack the solution,” and this tension plays out in all areas of security. We must do a far better job measuring our systems and their performance, and yet many areas of our Internet of systems challenges remain not very measurable and reflective of the diffusive principles of entropy. Should we choose to orient more on chronic or infrequent problems, or on the most likely or the most dangerous? Increasingly, what might the insurance perspective about our Internet of things and Critical Infrastructure challenges tell us?
In closing, threats to Critical Infrastructure and the Internet of systems come from many different sources—nation-state organizations, criminal enterprise organizations, and other, more limited threats that can still at times cause great damage. These threats come at the many vulnerabilities of the Internet of systems throughout our countries, economies, and societies. And we are usually defending against these threats with a shifting and imperfect combination of public and private sector organizations, against both chronic and infrequent areas of the challenge. Years ago, this author worked with and learned a great deal about the very large capabilities of the civil side of the (West) German military organization, the Wehrbereichskommando (WBK), the Verteidigungskreiskommando (VKK), and the like. The West German military had developed substantial and flexible military capabilities from both their uniformed and civil areas, a character of defense then that is also critical to leverage today. This is a reminder that there may be some very valuable lessons in talking with our German allies and partners about how they are engaging the challenges of Critical Infrastructure Security and Resilience and securing and operating the Internet of systems.
The ideas in this paper are those of the author alone, and do not represent U.S. government policy.