Cyber threats have received a lot of attention lately (e.g. Target, Sony, etc.), and the general public is becoming more aware of the damage that can be inflicted by attacks targeted at digitally vulnerable systems. Although alarming to some, news of this threat isn't new for operators of critical infrastructure, who have been protecting themselves against this type of attack for years. Even though general safeguards have been put in place, there is a lot of variation between different critical infrastructure organizations in how well they have prepared for the looming threat of cyber-attacks.
The United States Department of Homeland Security has identified 14 sectors that provide essential services to the country that require extra security in order to prevent cyber-attacks. These sectors include energy generation and distribution, transportation networks, water supplies, communication systems and many others. If any of these systems were to be compromised it would have a debilitating effect on the national economy, safety, health, and security of the country. Because of the importance of these sectors, they receive extra unwanted attention from anyone who wants to cause the country harm by way of cyber-attack.
If any of these systems were to be compromised it would have a debilitating effect on the national economy, safety, health, and security of the country.
Different organizations operating critical infrastructure put different protections in place to guard their digital and physical assets. One of the reasons for this variability is that there is no single entity that controls all of the pieces or has the authority to implement security policies across entire sectors. For example, some critical infrastructure is owned and operated by the federal or local government while other parts are operated by private sectors. Due to the scale of the infrastructure projects involved, many are even owned and operated by multiple entities, making it even more difficult to apply uniform policies and standards across entire industries.
There are certain practices that have allowed the U.S. nuclear industry to move ahead of other critical infrastructure sectors when it comes to cyber security. One such practice is that the industry has always had zero tolerance for error. Due to the threat of a major disaster and extreme public fear, the nuclear industry has always been cautious in addressing any security risks, and this has carried over to their cybersecurity preparation. Although this does add overhead to the cost of doing business, it is almost certainly better to be safe rather than sorry when it comes to protecting critical infrastructure. Their practice of taking the right preventative security measures is a good example for any company in the critical infrastructure industry to follow.
In addition, a good practice that the nuclear industry has adopted is the idea of having different levels of security for different types of networks. General corporate networks still need to be secure, but not as secure as other networks, such as the control systems for the operation of a nuclear facility. Even within the operational areas of facilities, there are different levels of security clearance for different parts of a plant. Using different levels of security clearance for different functions, for both people and networks, will ensure that there are very strong controls in place for moving from less secure to more secure areas of the facility. This practice allows the core operations of the facility to remain extremely secure without blocking any work that needs to be done in the lower security levels.Another advantage that the nuclear industry has over other critical sectors is that there are strong industry-wide organizations that help to set high standards for cyber security. This includes government-run regulatory organizations, such as the Nuclear Regulatory Commission (NRC), as well as industry-run organizations, such as the Nuclear Energy Institute (NEI). The existence of such industry-wide organizations facilitates the spread of cyber security best practices among the different operators and can help ensure that anything learned at one site can be applied to others. For example, these organizations have spread the best practice of "defense in depth" across nuclear facilities, requiring multiple layers of protection to reduce risk.
Although other critical sectors may be more fragmented than the nuclear industry, they can still learn from the security practices of the nuclear industry. Any method that promotes the spread of cyber security best practices between different operators of critical infrastructure will help the entire industry to bolster their defenses against rapidly evolving threats.
