- Email: [email protected]
Critical infrastructure protection
I N T E R N AT I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N
1 (2008) 4–5
available at www.sciencedirect.com
journal homepage: www.elsevier.com/locate/ijcip
Critical infrastructure protection Richard George Information Assurance Directorate, National Security Agency, Fort Meade, MD 20755, USA
A R T I C L E
I N F O
Article history: Received 5 August 2008 Accepted 6 August 2008
The sanctity of the critical infrastructure is one of the most significant issues facing nations today. Water, power, banking, transportation and communication systems are all part of the critical infrastructure that is essential to our daily activities. The various critical infrastructure components are, to differing extents, dependent upon one another within a nation’s borders and internationally as well. As such, problems in one critical infrastructure component can quickly spread to others. In the context of critical infrastructures, we tend to think of the term “assurance” differently from that of traditional communications assurance, although there are many similarities. Traditional information assurance consists of five services: confidentiality, integrity, authenticity, availability and non-repudiation. Analogs can be made for the critical infrastructure. Consider the water supply, availability is the first requirement, but integrity (i.e., to ensure that it has not been tampered with) is an additional concern. The health care industry must consider availability, integrity, authenticity (did this prescription actually come from this doctor?) and nonrepudiation. We can attempt to address the security needs of critical infrastructures by following traditional information assurance models. The key aspect of assurance is that if assurance is needed, it must be to protect something from someone. This protection must address three issues: Protection against whom (the adversary)? Protection against what (the threat)? How would the attack proceed (exploit vulnerabilities)? Several factors must be considered about an adversary: What capabilities and resources does the adversary have? Is the adversary knowledgeable enough to run a cyber attack? Does the adversary have the resources to achieve that capability? What is the intent of the adversary? For example, c 2008 Published by Elsevier B.V. 1874-5482/$ - see front matter doi:10.1016/j.ijcip.2008.08.010
a hacker might just seek the challenge of “getting in;” a thief may be only interested in stealing intellectual property; a terrorist seeks to disrupt societal activities, take lives and gain publicity. How risk averse is the adversary? This depends on the security environment and political climate. Also, what access does the adversary have? This depends on the specific critical infrastructure asset being targeted. Threats to critical infrastructures are tied directly to the adversary and are determined by the factors listed above (and others). If the adversary has technical expertise, a cyber attack might be an attractive option. If the adversary has considerable monetary resources, the required technical expertise could be bought. In general, a specific adversary will present a large number of potential threats. An appropriate defense has to address all these threats, after considering all the system vulnerabilities. The adversary has the advantage by studying the defense and then choosing the method and the timing of the attack. It is far from a level playing field. Adversaries range from copycat hackers to terrorists to nation states. Each adversary presents a different profile, capability, intent and avenue of access. And each combination presents a different type and degree of danger to a critical infrastructure. A nation state might hesitate to disrupt another nation’s financial infrastructure as it would adversely affect its own financial infrastructure. However, in the event of war, any reluctance would disappear entirely. Such considerations must be addressed in an assurance (defense) model. Government organizations have traditionally employed a two-tiered assurance model consisting of intrinsic and
I N T E R N AT I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N
extrinsic assurance. This model was created for the old world in which government products were used to satisfy the government’s communications security needs. Intrinsic assurance was realized by government control of the design and development of products. Extrinsic assurance was achieved through an unconstrained evaluation of these products. Commercial drivers have led to the replacement of the two-tiered assurance model by a four-element model, which is more appropriate for critical infrastructures. The first two are the same: intrinsic assurance – build the product as well as possible; extrinsic assurance – evaluate the product to understand the residual weaknesses. The other two are: implementation assurance – put the pieces together in the best way to mitigate product weaknesses and to obtain an assured solution; and operational assurance – maintain the solution over its lifetime, apply all patches, maintain configuration control, and monitor the solution to see if an adversary attacks. If an attack is detected, understand the weakness being exploited and control the impact of the attack. All these aspects play a crucial role in minimizing the risk and consequent damage to critical infrastructures. Critical infrastructure protection is a concern that is shared by all. Most critical infrastructure assets are owned and operated by private industry. Government serves as a regulator and as a consumer, but it is often a limited role. Academia can assist in developing defensive techniques, but it has no power to actually provide protection. Collaboration is
1 (2008) 4–5
5
required to achieve effective critical infrastructure protection. Information necessary for protection must be shared even though it may eventually fall in the hands of the adversary. Critical infrastructure providers and consumers must be educated about the threat. Most of all, we need to understand that industry, government and academia all have a role to play in critical infrastructure protection. There will never be another war in which the critical infrastructure is not both a cyber and physical target. Government alone cannot provide protection. Every societal entity must work together on solutions that will help address infrastructure security concerns. Critical infrastructure protection is neither a game nor an exercise – it is life and death. We all share the danger and the risk. We have the responsibility and the obligation to work together to protect the global critical infrastructure.
Richard George, Technical Director, Information Assurance Directorate, National Security Agency, Fort Meade, Maryland. Richard George joined the National Security Agency as a mathematician in 1970 and has worked in the Information Assurance Directorate (or its predecessor organizations) for 38 years as a cryptomathematician. Mr. George is currently responsible for developing and evaluating security solutions used by the Department of Defense and the intelligence community.
1 (2008) 4–5
available at www.sciencedirect.com
journal homepage: www.elsevier.com/locate/ijcip
Critical infrastructure protection Richard George Information Assurance Directorate, National Security Agency, Fort Meade, MD 20755, USA
A R T I C L E
I N F O
Article history: Received 5 August 2008 Accepted 6 August 2008
The sanctity of the critical infrastructure is one of the most significant issues facing nations today. Water, power, banking, transportation and communication systems are all part of the critical infrastructure that is essential to our daily activities. The various critical infrastructure components are, to differing extents, dependent upon one another within a nation’s borders and internationally as well. As such, problems in one critical infrastructure component can quickly spread to others. In the context of critical infrastructures, we tend to think of the term “assurance” differently from that of traditional communications assurance, although there are many similarities. Traditional information assurance consists of five services: confidentiality, integrity, authenticity, availability and non-repudiation. Analogs can be made for the critical infrastructure. Consider the water supply, availability is the first requirement, but integrity (i.e., to ensure that it has not been tampered with) is an additional concern. The health care industry must consider availability, integrity, authenticity (did this prescription actually come from this doctor?) and nonrepudiation. We can attempt to address the security needs of critical infrastructures by following traditional information assurance models. The key aspect of assurance is that if assurance is needed, it must be to protect something from someone. This protection must address three issues: Protection against whom (the adversary)? Protection against what (the threat)? How would the attack proceed (exploit vulnerabilities)? Several factors must be considered about an adversary: What capabilities and resources does the adversary have? Is the adversary knowledgeable enough to run a cyber attack? Does the adversary have the resources to achieve that capability? What is the intent of the adversary? For example, c 2008 Published by Elsevier B.V. 1874-5482/$ - see front matter doi:10.1016/j.ijcip.2008.08.010
a hacker might just seek the challenge of “getting in;” a thief may be only interested in stealing intellectual property; a terrorist seeks to disrupt societal activities, take lives and gain publicity. How risk averse is the adversary? This depends on the security environment and political climate. Also, what access does the adversary have? This depends on the specific critical infrastructure asset being targeted. Threats to critical infrastructures are tied directly to the adversary and are determined by the factors listed above (and others). If the adversary has technical expertise, a cyber attack might be an attractive option. If the adversary has considerable monetary resources, the required technical expertise could be bought. In general, a specific adversary will present a large number of potential threats. An appropriate defense has to address all these threats, after considering all the system vulnerabilities. The adversary has the advantage by studying the defense and then choosing the method and the timing of the attack. It is far from a level playing field. Adversaries range from copycat hackers to terrorists to nation states. Each adversary presents a different profile, capability, intent and avenue of access. And each combination presents a different type and degree of danger to a critical infrastructure. A nation state might hesitate to disrupt another nation’s financial infrastructure as it would adversely affect its own financial infrastructure. However, in the event of war, any reluctance would disappear entirely. Such considerations must be addressed in an assurance (defense) model. Government organizations have traditionally employed a two-tiered assurance model consisting of intrinsic and
I N T E R N AT I O N A L J O U R N A L O F C R I T I C A L I N F R A S T R U C T U R E P R O T E C T I O N
extrinsic assurance. This model was created for the old world in which government products were used to satisfy the government’s communications security needs. Intrinsic assurance was realized by government control of the design and development of products. Extrinsic assurance was achieved through an unconstrained evaluation of these products. Commercial drivers have led to the replacement of the two-tiered assurance model by a four-element model, which is more appropriate for critical infrastructures. The first two are the same: intrinsic assurance – build the product as well as possible; extrinsic assurance – evaluate the product to understand the residual weaknesses. The other two are: implementation assurance – put the pieces together in the best way to mitigate product weaknesses and to obtain an assured solution; and operational assurance – maintain the solution over its lifetime, apply all patches, maintain configuration control, and monitor the solution to see if an adversary attacks. If an attack is detected, understand the weakness being exploited and control the impact of the attack. All these aspects play a crucial role in minimizing the risk and consequent damage to critical infrastructures. Critical infrastructure protection is a concern that is shared by all. Most critical infrastructure assets are owned and operated by private industry. Government serves as a regulator and as a consumer, but it is often a limited role. Academia can assist in developing defensive techniques, but it has no power to actually provide protection. Collaboration is
1 (2008) 4–5
5
required to achieve effective critical infrastructure protection. Information necessary for protection must be shared even though it may eventually fall in the hands of the adversary. Critical infrastructure providers and consumers must be educated about the threat. Most of all, we need to understand that industry, government and academia all have a role to play in critical infrastructure protection. There will never be another war in which the critical infrastructure is not both a cyber and physical target. Government alone cannot provide protection. Every societal entity must work together on solutions that will help address infrastructure security concerns. Critical infrastructure protection is neither a game nor an exercise – it is life and death. We all share the danger and the risk. We have the responsibility and the obligation to work together to protect the global critical infrastructure.
Richard George, Technical Director, Information Assurance Directorate, National Security Agency, Fort Meade, Maryland. Richard George joined the National Security Agency as a mathematician in 1970 and has worked in the Information Assurance Directorate (or its predecessor organizations) for 38 years as a cryptomathematician. Mr. George is currently responsible for developing and evaluating security solutions used by the Department of Defense and the intelligence community.