The Nation’s Infrastructure

The Nation’s Infrastructure

Exploring the complexity of “unmanned” critical infrastructure protection

The last 12-18 months have shown us just how important our nation’s infrastructure is to our daily lives as well as our health and safety. However, the complexity of these systems and the risks they face may sometimes make us feel that properly securing them is an insurmountable feat.

According to the Cybersecurity & Infrastructure Security Agency (CISA), “Critical infrastructure describes the physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety. The Nation’s critical infrastructure provides the essential services that underpin American society.”

WHAT DOES THIS INCLUDE?

The following 16 sectors have been identi fied by the Department of Homeland Security (DHS) as critical infrastructure because any disruption to their operation would have such a significant impact:

  • Chemical
  • Communications
  • Commercial facilities
  • Critical manufacturing
  • Dams • Defense industrial base
  • Emergency services
  • Energy
  • Financial services
  • Food and agriculture
  • Government facilities
  • Healthcare and public health
  • Information technology
  • Nuclear reactors, materials, and waste
  • Transportation systems
  • Water and wastewater systems

This is an incredibly complex system in which many sectors not only rely heavily on each other but also have several subsectors, each with their own unique requirements and considerations. Within the transportation systems sector alone, there are seven key subsectors: aviation, highway and motor carrier, maritime transportation system, mass transit and passenger rail, pipeline systems, freight rail, and postal and shipping.

Looking deeper into each of the subsectors reveals even more complexity. For example, the highway and motor carrier subsector includes over 4 million miles of roadway, more than 600,000 bridges, and more than 350 tunnels, as well as vehicles, vehicle and driver licensing systems, traffic management systems, and cyber systems used for operational management.

IDENTIFYING OPPORTUNITIES FOR IMPROVEMENT

While the sheer enormity of these systems may seem daunting, there are many opportunities within each sector to help improve the security and resilience of our infrastructure. One such opportunity is Intelligent Traffic Systems (ITS). Spread across the United States’ roadways and on the corner of virtually every intersection are hundreds of thousands of unsecured targets for attack—traffic cabinets and ITS devices. Used to store and protect technology that connects and controls traffic signals, vehicles, and digital road signage, traffic cabinets are critical for road and highway safety. Exposed at the network “edge” and housed inside these cabinets are intelligent devices and connectivity that if left unprotected, leaves our country’s infrastructure and citizens exposed to critical safety risks.

Unauthorized entry into an ITS cabinet not only enables a potential attack or vandalization of connected intersections but could also allow access to the entire network of traffic controllers and camera feeds. In addition, most cabinets have active network connections to state and municipal agencies, putting them at serious risk of cyber-attack.

Securing access to our infrastructure and managing authorized users is critical, as we are now exposed to an entire gamut of risk from seemingly harmless vandalism to more malicious physical and cyber-attacks. Managing the security and access of our ITS networks and infrastructure is an absolute must. In doing so, we not only apply physical controls to connected intersections but also protect the entire network of traf- fic controllers, connected vehicles, cameras, digital signage, and IoT devices.

ITS networks are not isolated—they interconnect cities, states, and their citizens. Failure to secure them puts both agencies and the public at serious risk of attack.

Despite the fact that physical access to traffic infrastructure can have an immediate and widespread impact, the majority of cabinets are secured with a generic physical key that can easily be obtained and duplicated. Hundreds of thousands of key-holders currently have access to a piece of our country’s critical infrastructure.

This presents a serious threat as we continue to rely more on sophisticated technology to operate and control our vehicles and signal systems. Do you know who has access to your ITS devices and traffic cabinets? Do you know if your cabinets are secure right now? Unauthorized physical access to traffic infrastructure exposes agencies to both physical and cyber-related attacks. With Connected and Autonomous Vehicles (CAV), Vehicle-to-Infrastructure (V2I) connectivity, and more IoT connected devices than ever before, legal and liability issues are a reality for agencies operating these assets.

Entry into any traffic cabinet must be authorized, managed and monitored in real-time. Thankfully, this can be accomplished with robust solutions that are available for both online and offline access control.

USING A LAYERED APPROACH TO ADDRESS PHYSICAL AND CYBER SECURITY

ITS cabinets are an excellent example of the interdependency between physical security and cybersecurity. A vulnerability in the physical security of these cabinets creates a major risk for the cybersecurity of the systems and networks accessible through the connections housed within the cabinets. We are able to mitigate the cybersecurity risk by proactively addressing physical security.

This concept applies beyond transportation to the unmanned infrastructure in all of the sectors identified by DHS as critical. We see cabinets and enclosures across the country in rural areas or along highways, in fields, following power transmission lines or along railways that now provide the connectivity from “Information Technology” in the office to “Operational Technology” in the field. This is the very fabric that connects our infrastructure.

So, this layered approach can be applied across almost any application, and will become increasingly important as the need to protect the cybersecurity of our nation’s critical infrastructure continues to grow. Highlighted by the recent ransomware attack against the Colonial Pipeline and President Biden’s executive order to improve cybersecurity, we are facing constant threats to our economic and physical security. It is our responsibility as security professionals to bring knowledge, awareness, and action to protect against these threats.

This article originally appeared in the July / August 2021 issue of Security Today.

Featured

  • Maximizing Your Security Budget This Year

    The Importance of Proactive Security Measures: 4 Stories of Regret

    We all want to believe that crime won’t happen to us. So, some business owners hope for the best and put proactive security measures on the back burner, because other things like growth, attracting new customers, and meeting deadlines all seem more pressing. Read Now

  • 91 Percent of Security Leaders Believe AI Set to Outpace Security Teams

    Bugcrowd recently released its “Inside the Mind of a CISO” report, which surveyed hundreds of security leaders around the globe to uncover their perception on AI threats, their top priorities and evolving roles, and common myths directed towards the CISO. Among the findings, 1 in 3 respondents (33%) believed that at least half of companies are willing to sacrifice their customers’ long-term privacy or security to save money. Read Now

  • Milestone Announces Merger With Arcules

    Global video technology company Milestone Systems is pleased to announce that effective July 1, 2024, it will merge with the cloud-based video surveillance solutions provider, Arcules. Read Now

  • Organizations Struggle with Outdated Security Approaches, While Online Threats Increase

    Cloudflare Inc, recently published its State of Application Security 2024 Report. Findings from this year's report reveal that security teams are struggling to keep pace with the risks posed by organizations’ dependency on modern applications—the technology that underpins all of today’s most used sites. The report underscores that the volume of threats stemming from issues in the software supply chain, increasing number of distributed denial of service (DDoS) attacks and malicious bots, often exceed the resources of dedicated application security teams. Read Now

Featured Cybersecurity

Webinars

New Products

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis. 3