For over 20 years now, the enterprise IT security industry has built solutions around three simple concepts:
Confidentiality, Integrity, and Availability. Entire product categories and methodologies have consumed hundreds of billions of dollars of R&D investment, and the industry’s best practices have matured into a robust set of frameworks and real solutions. The problem will never be “solved” but it’s no longer an anomaly for a midsized company to have an information security officer and at least some amount of skills and ongoing budget to defend the information assets from malicious or accidental compromise. As Sun Tzu taught us in the 5th century.
Attackers seek to exploit our weaknesses with overwhelming force and where we are most unprepared.
Any casual reading of the news will reveal that products and procedures to protect from compromise is not yet universally deployed, but efforts are being made to mitigate risk, even if we may not always publicly hear about the impact of the efforts. What is clear is the scale of reconnaissance activity — building an inventory of known vulnerable targets — is running at a level many orders of magnitude higher than it was even five years ago.
Comparing enterprise information security to the security of physical plants, we’ve seen isolated investments as a result of certain federally-designated critical infrastructure categories. Bulk power, financial systems, and transportation have all enjoyed real investments in security and adapted when efforts were shown to be inadequate or ineffective. We’ll discuss this in greater detail below, but for now, it’s sufficient to accept that it is possible, despite all the bureaucracy, budgeting, and political challenges, to improve the security of physical infrastructure in a meaningful degree with practically applicable solutions.
Despite the evolution of stronger security options and with full knowledge of the potentially catastrophic effects of a disrupted water supply, power grid, or emergency response network, most physical infrastructure in the western world has little or no significant cyber-security protection in place. We’ve learned how to do it on the enterprise side and in the designated critical infrastructure sectors where it “matters most”, but what about everything else?
Twenty years after the advent of information security as an industry category, we face a major gap in degrees of preparedness and a critical mass of risk and attackers willing and able to exploit these connected networks which are relatively unprotected. Many of these networks are the economic lifeblood of regional employers, or the enablers of vital resources to communities: power, communications, and water. Large telecom companies at the national scale are more mature in their security practices, but many local or regional carriers, as well as municipalities, power cooperatives, and water plants, are all woefully behind.
Further compounding the problem is a budgeting process which isn’t yet oriented around the ROI of risk management and security spending, and a workforce which does not lend itself to rapid recruitment of security professionals.
This white paper reviews the water industry in general, and how it supplies and delivers a critical resource to essentially the entire globally developed population. Despite this, it has been almost entirely overlooked in terms of adopting security protections to account for the three categories of information security risk:
Availability: the #1 concern for all operators, and potentially a critical health and safety issue;
Integrity: how to protect the target system from unauthorized changes; and
Confidentiality: how to protect the details of the system from unauthorized access and misuse