Mitigating Risk: Protecting & Defending Critical Infrastructure

Leaders of various critical infrastructure sectors – such as energy, telecommunications, electricity generation, gas production, water supply, and waste disposal – must be able to effectively manage the vulnerabilities associated with providing high-quality services to the public while at the same time securing those sectors from physical and intellectual harm. Unlike companies that provide tangible products and traditional services, the owners and operators of critical infrastructure do not have the luxury of sequestering their assets.

In fact, simply by supplying important services that are essential for society to function properly and without interruption, these firms are both physically and virtually exposed. Moreover, because the same companies fill a critical role in managing business operations and facilitating economic recovery, they must also carefully balance: (a) pursuing new investments that take advantage of global sourcing; and (b) mitigating problems related to and/or caused by geopolitical volatility and competitive risk. For example, a dramatic increase in demand for mobile Internet, smartphones, and PDAs (personal digital assistants) has caused several U.S. telecommunications companies to shift a significant share of their capital investments to capture increasingly higher revenue streams.

Developing a flexible and robust infrastructure that meets the increasing demands of a globally interconnected community becomes essential in the short term as well as in the long term because of the anticipated growth in service revenue desired by customers. To satisfy this demand and to best position themselves for a continuing evolution, telecommunications firms must leverage international vendors and supply chains while at the same time defending their own infrastructures from risks that overseas collaboration ventures inevitably create. In addition, after initial investment decisions are made, the next steps – required maintenance, installation, and training – will almost always extend the risk timeline into the lifecycle of the equipment used as well as the overall operating network.

Two Notorious Examples: Google and WikiLeaks

In 2010, revelations of network intrusions at Google – preceded by the massive WikiLeaks exposure of countless sensitive government documents – vividly illustrate how the blurring of politically and financially entangled circumstances poses major risks for business and government alike. In the WikiLeaks exposure, Bradley Manning, a 22-year-old intelligence analyst, was able to download and disclose/distribute literally hundreds of thousands of ified documents before he was detected – and later sentenced to 35 years in prison.

The Google incident was considerably different, but nonetheless harmful to U.S. interests. It started when the company experienced a six-month advanced persistent threat (APT) attack, dubbed “Operation Aurora,” that apparently originated in China. The lesson provided by both situations was much the same: Regardless of origin and/or intent – and whether state or criminally sponsored – such threats dramatically illustrate the myriad of challenges that the private sector now faces in seeking to protect essential information.

Such events may seriously impair operations, financially harm any company involved, and/or damage the value of the brand. U.S. government agencies have the ability to retreat and segregate their most sensitive material in ultra-secure facilities, at a cost unknown to U.S. taxpayers. But private-sector companies do not have this same privilege, so must operate their geographically distributed personnel, facilities, and networks as securely as possible, even when: (a) engaging an ever growing number of partners; (b) outsourcing additional elements of the business (to further enhance the bottom line); and (c) meeting the profit expectations of their ever vigilant shareholders.

The same two examples illustrate an increasingly difficult problem – namely, that numerous foreign and domestic malefactors are now profiting from, disrupting, and/or otherwise harming the nation’s critical infrastructure. Experience shows, though, that the best defense against such activities is a vigorous and proactive offense. Not in the sense of a competitive espionage program but, rather, in the active and unified management of unwanted exposure within the public sphere.

The Growing Danger Posed by Insider Threats

In various ways similar to those common in other knowledge-intensive industries, U.S. critical infrastructure companies are particularly vulnerable to insider threats. Individual employees as well as subcontractors have access to and understand the market value of the materials, systems, and operations entrusted to them. Even properly sanctioned work may be vulnerable to information spills and/or inadvertent disclosures that not only create and expand vulnerabilities but also result in regulatory or compliance liabilities.

Much more threatening, however, are the deliberate and calculated efforts of persons with access, capability, and intent to harm a company. As the 2010 WikiLeaks’ case demonstrated, the financial cost and physical resources needed to cause incalculable harm to any given company, and/or to the federal government, are nominal – even to individual “lone wolf” attackers. But the damage caused by just one angry or disgruntled employee of a gas or power company, for example, could be devastating to an entire community, and could disrupt normal operations for an extended period of time.

To guard against such threats, the nation’s entire critical infrastructure industry now manages a veritable mountain of custodial data and regulatory compliance information. The protection of such custodial and personal information is obviously growing in importance, particularly given the increasing liabilities associated with the disclosure of custodial data – as was vividly demonstrated by the aggressive Massachusetts Data Breach Law of 2008.

A Comprehensive Approach & Proactive Plan of Action

With no sign that such dangers are abating, and with limited resources dedicated to “security,” critical infrastructure managers must ensure they are positioned to protect their companies from not only a broad range of liabilities (fines, lawsuits, adverse publicity) resulting from the spillage of toxic data but also from the loss or pilferage of valuable corporate secrets (financials, partnerships, technologies).

As critical infrastructure companies assess opportunities to transfer, reduce, or accept risks in the operation of their various businesses, they also must position themselves to optimize their options based on a unified organizational examination that is both broad and deep. Only through the unified management of a company’s capital assets and business relationships can it optimize future selections from the broad range of actions that simultaneously mitigate risks and proactively layer the legal and structural defenses.

Although the costs created by and arising from compliance activities are more readily measured, the long-term losses associated with the exposure of valuable corporate secrets are, in fact, far more extensive and expensive. Those responsible for ensuring the security of critical infrastructure assets – from an economic point of view as well as from public health and safety perspectives – cannot afford to provide more protection for one asset than another. The time has come for a truly comprehensive approach to protect and defend critical infrastructure organizations.