Shifting Cybersecurity Policies Hinder Comprehensive Critical Infrastructure Protection

Cybersecurity spending on utilities infrastructure (energy, water, and wastewater) globally is low, fragmented, and inconsistent. In 2018, ABI Research forecasts such spending to average US$8 billion globally; this represents less than 10% of total spending on critical infrastructure cybersecurity. Spending on utilities is not as dynamic as in some other sectors—notably, defense, financial services, and Information and Communication Technologies (ICTs). This is due in part to the slow-moving nature of grid modernization; the difficulty of integrating security into legacy industrial control systems and newer connected operational technologies; the lack of skills and know-how in the sectors; and the low priority placed on security by stakeholders in the sector.

The surge in adoption of smart assets for utilitiesintroduces new risks to the infrastructure. Electrical and water grids are especially vulnerable. The poisoning of a water supply or release of untreated wastewater could cause serious health issues. The disruption of electricity will not only affect the proper functioning of other critical infrastructures (including water distribution) but can also seriously undermine the economic stability of a nation.

While some significant efforts have been made to address security in the energy sector—notably in the United States with the mandatory North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) rules and in the European Union with the Network Information Security (NIS) Directive—current endeavors in protecting utilities more comprehensively are insufficient. Unaddressed vulnerabilities are leading to an increase in cyberattacks, and the cybersecurity efforts to tackle these shortcomings are patchy at best.

Security is therefore a primary concern, as it is intrinsically linked to safety and national security. This is particularly critical, as smart technology deployment in utilities is often advancing without adequate security implementation. However, the current public trend is not one of cybersecurity priority. The 2012–2013 period was time of high cybersecurity activity for governments. The United States launched the Obama Executive Order on Improving Critical Infrastructure Cybersecurity, from which the various U.S. departments took their cues; and the European Union published the E.U.-wide Network and Information Systems (NIS) Directive, with the European Union Agency for Network and Information Security (ENISA) accorded greater responsibility and with Europol’s launching of the European Cybercrime Centre. Since the Snowden revelations were given such a high profile in the media, every country was keen to show they were doing something to curb cybercrime and implement cybersecurity, both for citizens and critical infrastructure alike.

These efforts have since petered out. In the United States, stakeholders are still relying on what was decided during the Obama administration; the new Trump administration has not put cybersecurity high on its agenda. In 2017, President Trump appointed Rudy Giuliani as his cybersecurity advisor (a man with no cybersecurity credentials or credibility)—a man who has yet to provide any valuable input to national cybersecurity matters—and eliminated the position earlier this year.

It’s not much better in the European Union. ENISA lacks the teeth to do more than just put out research, and they do not have a big enough budget to expand their cybersecurity role. Most E.U. member countries have not taken the NIS Directive seriously; the deadline has passed for the directive to take effect, and it is currently being delayed. Only a handful of states have set up a national cybersecurity authority as required by the directive. It is quite a poor effort all around. It seems that many have forgotten that cybersecurity needs to be a continuous effort, not a one-time announcement.

It is important for utilities to understand that cybersecurity is an integral and critical aspect of running a power or water grid—especially when it comes to near-future applications. Whether that grid is smart or not, cybersecurity is too intrinsically linked to safety to be considered as a lesser priority. Furthermore, cybersecurity has to be understood as a comprehensive discipline that is dynamic and that will change constantly in response to the cyberthreat landscape.

However, it looks like the trend for frameworks and regulations to harmonize policies and procedures for cyber protection and defense for critical infrastructure is giving way to more classified operations on offensive cybersecurity. In the United States, President Trump recently jettisoned Obama’s Presidential Policy Directive 20 (PPD-20) that provided a framework for checks and balances on military use of offensive cybersecurity.

There is little doubt that cybermilitary operations have ceased to be a silent and invisible activity. Increasingly, such operations are setting the stage for customary practice in terms of cyber warfare among nation-states. Consequently, they have triggered a growing discussion on how to align these operations with international law, notably around issues such as sovereignty, state responsibility, the use of force, the applicability of the law of armed conflict, and the conduct of hostilities among nation-states.

The impetus behind the PPD-20’s abandonment is to eliminate red-tape obstacles in responding to national cyberthreats, especially since critical infrastructure is not just a target for nation-states but is increasingly a target for financially motivated threat actors. However, many offensive cybersecurity tactics can be considered in direct contravention not only to existing cybercrime legislation but also possibly to international laws of war and armed conflict.

An offensive strategy raises a number of issues, notably with regard to proper attribution and then to effective (and legal) retribution. Cutting out administrative checks and balances, especially for those concerning national security, may expedite response times but may also result in less thorough review, more errors, and disproportionate response. In the long term, this would render a nation-state (including its critical infrastructures) even more vulnerable.

Securing critical infrastructures can benefit significantly from offensive mechanisms, but these need to be deployed within a justified and reasonable framework and in conjunction with defensive mechanisms. As such, they can be reserved as a means of last resort—when all other mechanisms have failed. Scrapping existing checks and balances to proportionate use only serves threat actors, who can all too easily misdirect stakeholders to wrongful attribution. The poor state of cybersecurity spending—especially for securing critical infrastructure such as utilities—shows that there is much that could be done before resorting to offensive action.