Critical Infrastructure Demands Proper Business Continuity Planning
IT is everywhere in critical infrastructure. The Internet. The electrical grid. The banking system. We don’t often think of the nationwide electrical grid (no matter what country you’re in) as a massive exercise in IT, but part of our critical infrastructure cybersecurity challenge is that power generation, transmission and distribution all rely on a “massive network” supporting both electricity (surprise!) and data. Disaster recovery (DR) and business continuity planning (BCP) must assure smooth availability of both, or we’ll have neither.
The industrial process control systems that coordinate power creation and delivery are called Supervisory Control and Data Acquisition (SCADA) systems. SCADA systems have historically been under the management of the Operations Technology (OT) group in each utility, and kept within “closed networks” connected via age-old RS-232 technology. Guess what? In the past decade, process control systems such as SCADA have been modernized to utilize the Internet Protocol (IP) and the inclusion of operational data into the domain of the IT network has commenced. Its worth pointing out that SCADA systems in the Iranian nuclear development plants were infected two years back by a virus called Stuxnet, which was allegedly inserted into the environment through Western “white hat” hackers. That virus apparently was so harmful that it stopped Iran’s nuclear ‘energy’ development in its tracks.
Standards to the Rescue
While enhanced connectivity for IT and OT brings many benefits, it also creates myriad risks that have bedeviled us for the past couple decades. In its simplest sense, the air gap has been crossed between the systems that run our vast electrical grid and the IT systems that run the business. The Department of Homeland Security took notice of this in 2005, and thus began a long series of standards efforts to assure data protection for both private and public sector critical infrastructure. These started with the North American Electric Reliability Council (NERC) Critical Infrastructure Protection (CIP) standards, which prescribe proper vulnerability management capabilities to be adhered to by all electric utilities. Similar standards now exist in the UK, Europe and Asia. More recently, the U.S. Department of Energy released its Electricity Subsector Cybersecurity Capabilities Maturity Model (ES-C2M2) to help utilities determine how mature (effective) their security measures within the blended OT/IT environment are.
What’s the Greater Threat: Terrorism or Nature?
Terrorist threats against our electric grid are very real and potentially devastating. But another, perhaps equally disruptive threat is simply Nature. Some years ago, a massive ice storm tore through the Northeast U.S. and left many millions of people without power for days and several hundred thousand for weeks. Without deliberately placing blame on the utilities, it should be said that it was quite apparent to most everyone that we were not prepared. Things went somewhat ‘better’ when super-storm Sandy hit the same region. But with Sandy, another specter of IT disaster raised its ugly head: data center flooding and the lack of coordinated IT disaster response. Financial institutions, health care providers, large retail businesses and state and local governments were affected to different degrees. Again, many might say, we were not prepared.
So where am I going with all this “reflection”? We as a society rely on information. Data. Data lives in systems and databases that run solely on electricity and “live” in data centers Without the ability to access our bank accounts (no Internet), buy groceries and fill our cars with gas (no electricity) or communicate with others (no cellular network) things can get real bad, real fast.
We have the ability to help keep the terrorist/natural disaster wolves at bay: through proper Business Continuity Management (BCM), Disaster Recovery (DR) and Critical Data Protection governance we can help our organizations’ leadership clearly understand their risk and effective ways for managing that risk – whether the risk is to the organization’s financial well-being, to national security, or both. But you would be amazed how many organizations don’t have an up-to-date, tested business continuity plan!
Prudent business continuity planning calls for the development of an enterprise-wide business continuity management strategy, framework and policy; additional focus on the design and implementation of a disaster recovery testing; and the implementation of a BCM Governance Model & Steering Committee. Remember, information protection is driven by Confidentiality, Integrity and Availability. Putting appropriate emphasis on availability is what is called for when you view your ‘network’ as critical infrastructure – either to your organization’s well-being, your customers or your country.