Securing Critical Infrastructure with MILS
On February 12, the White House released the Presidential Policy Directive 21 (PPD-21), Critical Infrastructure Security and Resilience. The DHS website describes PPD-21 as “advancing a national policy to strengthen and maintain secure, functioning, and resilient critical infrastructure.” Sixteen different critical infrastructure sectors are identified, including: Chemical, Communications, Energy, Financial Services, Healthcare and Public Health, Food and Agriculture, Nuclear Reactors, Transportation, and Water and Wastewater Systems.
On the same day PPD-21 was released, President Obama also signed Executive Order 13636 for “Improving Critical Infrastructure Cybersecurity.” The Executive Order directs NIST (National Institute of Standards and Technology) to develop a framework for “reducing cyber risks to critical infrastructure,” for which they have issued an RFI and plan a workshop in late May.
And on March 26, the BSI (Bundesamt für Sicherheit in der Informationstechnik, the German Federal Office for Information Security) published the Protection Profile for the Gateway of a Smart Metering System. Such devices will securely collect, process, and store information from smart meters, adding security to smart electricity distribution grids. The protection profile notes that the threat from a remote cyberattack is much higher than that from a local physical attack, since the attacker in network has the potential to compromise not just one, but many components of the infrastructure, or even the corresponding grid.
These developments highlight the focus on improving critical infrastructure security as attacks from cyber-terrorism have increased over the last decade and, alarmingly, in the past year on power, water, and nuclear systems. A recent report states that, indeed, most cyber-attacks now target critical infrastructure, moving “away from hacking and financially motivated crime” to attacks to “deny, disrupt, and destroy” service. For most of us, even the most destructive cyber-attacks like Stuxnet are fairly remote and don’t impact us; but if critical infrastructure services are denied, disrupted, or destroyed, cyber-attacks could become devastatingly personal.