The Nation’s Infrastructure

Exploring the complexity of “unmanned” critical infrastructure protection

• By S. Guerry Bruner
• Aug 02, 2021

The last 12-18 months have shown us just how important our nation’s infrastructure is to our daily lives as well as our health and safety. However, the complexity of these systems and the risks they face may sometimes make us feel that properly securing them is an insurmountable feat.

According to the Cybersecurity & Infrastructure Security Agency (CISA), “Critical infrastructure describes the physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety. The Nation’s critical infrastructure provides the essential services that underpin American society.”

WHAT DOES THIS INCLUDE?

The following 16 sectors have been identi fied by the Department of Homeland Security (DHS) as critical infrastructure because any disruption to their operation would have such a significant impact:

• Chemical
• Communications
• Commercial facilities
• Critical manufacturing
• Dams • Defense industrial base
• Emergency services
• Energy
• Financial services
• Food and agriculture
• Government facilities
• Healthcare and public health
• Information technology
• Nuclear reactors, materials, and waste
• Transportation systems
• Water and wastewater systems

This is an incredibly complex system in which many sectors not only rely heavily on each other but also have several subsectors, each with their own unique requirements and considerations. Within the transportation systems sector alone, there are seven key subsectors: aviation, highway and motor carrier, maritime transportation system, mass transit and passenger rail, pipeline systems, freight rail, and postal and shipping.

Looking deeper into each of the subsectors reveals even more complexity. For example, the highway and motor carrier subsector includes over 4 million miles of roadway, more than 600,000 bridges, and more than 350 tunnels, as well as vehicles, vehicle and driver licensing systems, traffic management systems, and cyber systems used for operational management.

IDENTIFYING OPPORTUNITIES FOR IMPROVEMENT

While the sheer enormity of these systems may seem daunting, there are many opportunities within each sector to help improve the security and resilience of our infrastructure. One such opportunity is Intelligent Traffic Systems (ITS). Spread across the United States’ roadways and on the corner of virtually every intersection are hundreds of thousands of unsecured targets for attack—traffic cabinets and ITS devices. Used to store and protect technology that connects and controls traffic signals, vehicles, and digital road signage, traffic cabinets are critical for road and highway safety. Exposed at the network “edge” and housed inside these cabinets are intelligent devices and connectivity that if left unprotected, leaves our country’s infrastructure and citizens exposed to critical safety risks.

Unauthorized entry into an ITS cabinet not only enables a potential attack or vandalization of connected intersections but could also allow access to the entire network of traffic controllers and camera feeds. In addition, most cabinets have active network connections to state and municipal agencies, putting them at serious risk of cyber-attack.

Securing access to our infrastructure and managing authorized users is critical, as we are now exposed to an entire gamut of risk from seemingly harmless vandalism to more malicious physical and cyber-attacks. Managing the security and access of our ITS networks and infrastructure is an absolute must. In doing so, we not only apply physical controls to connected intersections but also protect the entire network of traf- fic controllers, connected vehicles, cameras, digital signage, and IoT devices.

ITS networks are not isolated—they interconnect cities, states, and their citizens. Failure to secure them puts both agencies and the public at serious risk of attack.

Despite the fact that physical access to traffic infrastructure can have an immediate and widespread impact, the majority of cabinets are secured with a generic physical key that can easily be obtained and duplicated. Hundreds of thousands of key-holders currently have access to a piece of our country’s critical infrastructure.

This presents a serious threat as we continue to rely more on sophisticated technology to operate and control our vehicles and signal systems. Do you know who has access to your ITS devices and traffic cabinets? Do you know if your cabinets are secure right now? Unauthorized physical access to traffic infrastructure exposes agencies to both physical and cyber-related attacks. With Connected and Autonomous Vehicles (CAV), Vehicle-to-Infrastructure (V2I) connectivity, and more IoT connected devices than ever before, legal and liability issues are a reality for agencies operating these assets.

Entry into any traffic cabinet must be authorized, managed and monitored in real-time. Thankfully, this can be accomplished with robust solutions that are available for both online and offline access control.

USING A LAYERED APPROACH TO ADDRESS PHYSICAL AND CYBER SECURITY

ITS cabinets are an excellent example of the interdependency between physical security and cybersecurity. A vulnerability in the physical security of these cabinets creates a major risk for the cybersecurity of the systems and networks accessible through the connections housed within the cabinets. We are able to mitigate the cybersecurity risk by proactively addressing physical security.

This concept applies beyond transportation to the unmanned infrastructure in all of the sectors identified by DHS as critical. We see cabinets and enclosures across the country in rural areas or along highways, in fields, following power transmission lines or along railways that now provide the connectivity from “Information Technology” in the office to “Operational Technology” in the field. This is the very fabric that connects our infrastructure.

So, this layered approach can be applied across almost any application, and will become increasingly important as the need to protect the cybersecurity of our nation’s critical infrastructure continues to grow. Highlighted by the recent ransomware attack against the Colonial Pipeline and President Biden’s executive order to improve cybersecurity, we are facing constant threats to our economic and physical security. It is our responsibility as security professionals to bring knowledge, awareness, and action to protect against these threats.

This article originally appeared in the July / August 2021 issue of Security Today.