Cybersecurity and Infrastructure Protection

Chapter 1

Introduction

The security of the data in our digital systems has dominated conversations throughout the cyber community in recent years. This conversation is prompted by the ongoing and escalating series of digital breaches that have affected business organizations, learning institutions, healthcare facilities, and government agencies. Hardly a week goes by that the media does not report on yet another cyber breach costing millions of dollars, which exposes personally identifying information (PII), and sullies the reputation of yet another organization or agency. Last year, according to some reports, there were over 40 million cyber-attacks, averaging over 100,000 per day—an increase of nearly 50 percent from the previous year (Bennett, 2014). The level of attacks in 2015 seem to be outpacing even that. In one attack alone on a government agency in the United States in early 2015, over 22 million records were stolen and tens of millions of records were lost during hacks of several healthcare services (Granville, 2015). The financial costs of these digital breaches are staggering. According to well-known U.K. insurer Lloyd’s, cyber-attacks are costing organizations over 400 billion dollars each year, and those costs are rising. These high-profile cyber breaches highlighted in the media gain a good deal of public attention, especially if—as with the SONY breach in 2014—there are celebrities involved (Gandel, 2015).

While the reports of such attacks are meaningful, as they tend to educate and alert the general public to the ongoing threats to our security, they often neglect a more important aspect—the cyber threats and attacks to our critical infrastructure, the foundations of which keep our society functioning. While we are inconvenienced when our credit card services are disrupted, or troubled at the prospect of our health records being made public, we fail to recognize the devastating impact to our society should a cyber-attack suddenly cut off our water supply, electricity, or other services we count on in our daily lives. Although they receive less media attention, attacks on our critical infrastructure are a serious concern. According to a recent survey, almost 90 percent of managers in critical sectors report attacks on their organizations, and nearly 50 percent believe it is likely that a cyber-attack on critical infrastructure within the next five years will result in the loss of lives. Our critical infrastructure is being attacked by those with malicious intent and is, by some accounts, more vulnerable than many believe. It must be protected.

In this book we will examine the 16 critical infrastructure sectors and how each has its own importance yet is strategically intertwined with others. We will also examine what the threats to these sectors are, who might be attacking them, how those attacks might take place, the measures that are being taken to protect them, and the governance that seeks to regulate that protection.

A Brief Review of Critical Infrastructure Protection

The nation’s critical infrastructure provides the essential services that underpin American society and serves as the backbone of our nation’s economy, security, and health. We know it as the power we use in our homes, the water we drink, the transportation that moves us, the stores we shop in, and the communication systems we rely on to stay in touch with friends and family.

—United States Department of

Homeland Security

As identified by the United States government through Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience, there are 16 Critical Infrastructures. Listed alphabetically, they are: (1) the Chemical Sector, (2) the Commercial Facilities Sector, (3) the Communications Sector, (4) the Critical Manufacturing Sector, (5) the Dams Sector, (6) the Defense Industrial Base Sector, (7) the Emergency Services Sector, (8) the Energy Sector, (9) the Financial Services Sector, (10) the Food and Agriculture Sector, (11) the Government Facilities Sector, (12) the Healthcare and Public Health Sector, (13) the Information Technology Sector, (14) the Nuclear Reactors, Materials, and Waste Sector, (15) the Transportation Systems Sector, and (16) the Water and Wastewater Systems Sector (U.S. Department of