 Strategic Cybersecurity Module 14, Critical Infrastructure. Once you have completed the readings, lecture, activity, and assessment, you will be able to articulate the meaning of critical infrastructure. Articulate why cybersecurity is important for protecting critical infrastructure. Welcome to Strategic Cybersecurity Module 14, Critical Infrastructure. By now, you are undoubtedly gaining an appreciation for how vulnerable countries are to cyberintrusions. You've read about the Stuxnet virus, which manipulated and destroyed uranium centrifuges at the Iranian nuclear facility in Natanz. Your readings for this module covered Project Aurora, which demonstrated how a computer virus could physically destroy a commercial power generator. However, concerns about the vulnerability of infrastructure, especially critical infrastructure to cyberweapons, goes back decades to the early 1990s. Although there are many definitions of critical infrastructure, it is generally defined as infrastructure that is so vital, its incapacity or destruction would have a debilitating impact on the country's defense and or economic security. The government's approach to protecting critical infrastructure from both physical and cyber attacks has evolved over the decades, and each presidential administration has left its mark on effort. The initial recognition that aspects of our national infrastructure were vulnerable and needed to be protected can be traced back to President John F. Kennedy in the Cuban Missile Crisis. Kennedy was purportedly frustrated by his inability to speak directly with Nikita Khrushchev and following the crisis, signed an executive order establishing the National Communication System. The National Communication System focused on making our telecom infrastructure more interoperable and easily survivable in the event of a nuclear war. Later in the 1970s and 80s, in response to multiple natural disasters, the government established the Federal Emergency Management Agency in order to better coordinate state and federal emergency response efforts and protect critical infrastructure. Additionally, following a series of terrorist attacks in the early and mid-90s, President Clinton signed Presidential Decision Directive 39, which laid the groundwork for the Department of Homeland Security, designated federal agencies for specific emergency response missions, as well as created the Critical Infrastructure Working Group. Following that effort, President Clinton signed Executive Order 13010, which established the Commission on Critical Infrastructure Protection, also known as the Marsh Report, and highlighted two kinds of threats to critical infrastructure, physical and electronic. Highlighting that critical infrastructure was vulnerable to electronic, or what we today would call cyberattacks was groundbreaking at the time. In fact, it is very instructive to read the opening pages of the Marsh Report to get a sense of the recognition that the world was quickly changing and new vulnerabilities were being created. For instance, the report noted, the electronic technology of the information age challenges us to invent new ways of protecting ourselves now. We must learn to negotiate a new geography, where borders are irrelevant and distances meaningless, where an enemy may be able to harm the vital systems we depend on without confronting our military power. Executive Order 13010 also defined specific critical infrastructure sectors to include telecom, banking, electrical grid, gas and oil, transportation, water supply, continuity of a government and emergency services. Although the number of designated critical infrastructure sectors has fluctuated with each presidential administration, today there are a total of 16 recognized sectors. As was mentioned in the last module, one of the problems with regard to protecting critical infrastructure in the United States is that nearly 90% of it is owned by the private sector, and historically, there have been problems with the private and public sector sharing threat and vulnerability information. To address that, President Clinton signed a presidential directive promulgating the creation of a series of information sharing and analysis centers, or ISACs, to help critical infrastructure owners and operators protect their facilities, personnel and customers from cyber and physical security threats and other hazards. ISACs do this by collecting, analyzing and disseminating actionable threat information from both the government and private organizations to their members in the hope that both physical and cyber threats can be rapidly identified and mitigated. Although ISACs are considered important organizations in helping secure our nation's infrastructure, many experts believe they do not go far enough in the sense that participation in them is voluntary. In fact, Rosenweig proposes the creation of a congressionally chartered non-profit corporation akin to the Red Cross that would federalize responses to major cyber intrusions and provide a forum in which defense-related private sector information could be shared without fear of compromise or competitive disadvantage. This does seem like a good idea, but as always, the devil is in the details. ISAC corporations would likely interpret any mandated actions from the government as regulation and fight tooth and nail against them. Going forward, as more and more industrial and service sector processes become automated, a workable solution between the government and private sector will have to be reached. Quiz question one, true or false? SCADA systems can be used to operate critical infrastructure components via an internet connection. The answer is true. Quiz question two, which of the following is not an example of critical infrastructure? A. Electric grid. B. Transportation systems. C. Communication systems. D. Internet service providers. The answer is D. Internet service providers. Quiz question three, true or false? Most industrial control systems, ICS, controlling our nation's infrastructure, are connected to the internet and are, therefore, vulnerable to attack. The answer is true. The activity for this module asks that you download the 1997 Critical Foundations Protecting America's Infrastructure, available on the Federation of American Scientists website. Review the report and determine how accurate this report was when it was published 20 years ago. Is the report still relevant? What do you think should be modified or added to bring it up to date?