It’s the last week of National Cyber Security Awareness Month (NCSAM), and this week we’re highlighting how cybersecurity relates to the systems that support our daily lives, such as electricity, financial institutions and transportation. Building resilience in critical infrastructure is crucial to national security. NCSA looks forward to this week’s initiatives discussing the growing dependence critical infrastructure has on the internet and how cybersecurity is key in keeping us safe and keeping systems running effectively.
I recently spoke with Ken Modeste, cyberseecurity lead at UL, about what critical infrastructure really means, the changing relationship between these systems and cybersecurity and what’s needed to promote resiliency in developing and expanding critical infrastructure connected to the internet. Ken is the principal technical advisor and cybersecurity subject matter expert at UL; he helped develop UL’s cybersecurity standards, which test network-connectable devices for known vulnerabilities and software security.
MICHAEL KAISER: In cybersecurity, we talk about critical infrastructure a lot, but not everyone knows what we mean. What do you mean by critical infrastructure?
KEN MODESTE: Critical infrastructure is the backbone of our nation's economy, security and health. We know it as the power we use in our homes, the hospitals that provide us with care, the transportation that moves us and the communication systems that we rely on to connect with friends, family, coworker and more. When we talk about critical infrastructure in cybersecurity, we are referring to industry sectors such as energy, utilities and health care, to name a few.
MK: How have the internet and connected critical infrastructure changed the average consumer’s relationship to critical infrastructure?
KM: As the Internet of Things (IoT) enables more sophisticated capabilities through network-connected products and systems, this connectedness has opened up vulnerabilities in the critical infrastructure that can affect consumers. In the case of healthcare infrastructure, when data is compromised, people’s lives can be at stake. Hospitals contain thousands of connected medical devices that are potentially vulnerable to real-time cyberattacks. As IoT technologies increasingly move into our nation’s critical infrastructure, assessing interconnected systems and their software vulnerabilities and weaknesses before an attack occurs is critical to maintaining consumer confidence in this infrastructure.
MK: With all these large and complex systems delivering essential services, where are the greatest risks to critical infrastructure, and what are the potential impacts of cyberattacks on these systems?
KM: According to Gartner, there will be 20.4 billion connected devices in use by 2020. By 2018, IDC predicts that 66 percent of networks will have an IoT security breach. As more devices become interconnected, the potential of security risks to products and services becomes greater across all sectors.
Cyberattacks are becoming more sophisticated, harder to protect against, more widespread and costlier than ever. In 2016, there were 290 incidents involving cyberattacks against critical infrastructure operations in the United States. Cyberattacks on manufacturing operations, communications and the energy sector were the highest.
MK: There are two things to keep in mind with security in critical infrastructure – securing the legacy systems that are already around and connected to the internet and building new systems for the future. How do we go about securing legacy systems, and how do we build newer critical infrastructure systems to be secure?
KM: Addressing legacy systems is a big concern in cybersecurity. In fact, the recent Equifax data breach was a result of a security flaw in the consumer credit reporting agency’s legacy system, which gave the attackers an opening into their network. We’re starting to see more and more companies ask for advice on which systems they will need to retire and whether they need to redesign new products and systems altogether.
Cybersecurity is always a moving target. There is no silver bullet to solve the problem. The key is to add and build upon a sound security foundation in order to make it harder and harder for bad actors to circumvent new and existing systems. At UL, we do this by building a continuous update process into our security standards to adapt to changes in the security environment, starting with understanding the weaknesses in legacy systems so that if you cannot update and prevent the vulnerability, at least you can mitigate or monitor it.
MK: Are there any approaches or frameworks that you think show great promise for securing our critical infrastructure?
KM: Collaboration and transparency between the private and public sectors are critical to creating new safeguards in an ever-changing security threat landscape. That approach is at the heart of our UL 2900 series of cybersecurity standards, which was developed with input from major stakeholders representing the U.S. government, academia and industry and recognized within the Cybersecurity National Action Plan (CNAP) released by the Obama White House as a way to test and certify network-connectable devices within the IoT supply chain. Measuring critical systems against a common set of reliable security criteria helps businesses deliver more secure IoT products and helps governments provide more secure critical infrastructures.
MK: Given the likelihood that cyberattacks will occur in the future against critical infrastructure, how important is resiliency in developing and expanding critical infrastructure connected to the internet?
KM: Mitigating security risks to our nation’s critical infrastructure is vital to the resiliency of these systems and keeping the country operating. Staying ahead of – and adapting to – continuous changes in the security environment will be important to sustaining a secure critical infrastructure.
MK: How important is the modernization of technology to ensuring a secure critical infrastructure in the future?
KM: The modernization of technology will play an imperative role in helping to ensure critical infrastructure is secure, resilient, sustainable and more reliable both today and in the future. For example, updated technological infrastructure to our grid system will help address current cybersecurity concerns like breaches to the networks, mitigate natural disaster disruptors such as hurricanes and floods and better prepare critical infrastructure for potential future areas of weakness. To be successful, modern technologies must have software that is easily updateable – allowing for uncomplicated testing and deployment to help ensure the modernized technology also has built-in capabilities to address unknown future security events.
MK: What is UL doing around cybersecurity and critical infrastructure?
KM: One solution for combating cybersecurity threats is to build consensus for a set of baseline security standards that IoT devices can follow to increase confidence in these systems. For critical infrastructure, we have developed an industrial control systems (ICS)-specific set of cybersecurity standards that offers testable cybersecurity criteria for third-party software and a benchmark for validating the security claims of software vendors. In addition, we have ongoing research partnerships with the U.S. Department of Homeland Security’s ICS Cyber Emergency Response Team (ICS-CERT) to help mitigate industrial IoT infrastructure cyber risks.
Moreover, the U.S. Food and Drug Administration (FDA) officially recognized the UL 2900 cybersecurity standard, enabling medical device manufacturers to demonstrate that they meet FDA guidance through compliance with the UL standard. We have also recently released a version of our cybersecurity standards specifically for the life safety and physical security industry to help manufacturers identify security risks and solutions in a wide range of products, such as surveillance cameras, emergency communications systems, fire alarm systems, alarm receiving systems, intrusion detection systems and access control systems.
Our goal is to offer manufacturers of IoT devices across multiple industries trusted support for assessing security risks while enabling them to focus on product innovation. By helping to build safer, more secure products, we hope to provide both businesses and consumers with the peace of mind that their products have been validated against a set of cybersecurity standards by a trusted third party.
Check out UL’s website for more information on its work in cybersecurity standards and critical infrastructure. And follow the #CyberAware hashtag on social media for the latest insights, tips and resources to use this NCSAM and to join the conversation. For tips on how you can be safer online and protect your personal information, visit staysafeonline.org – and follow us on Facebook and Twitter for year-round cybersecurity advice and news.