I’m working hard nowadays to
finish my book on supply chain cybersecurity for critical infrastructure. Yesterday
I was working on a chapter where I was discussing the difference between
critical infrastructure industries and other industries. In doing so, I came to
the realization that the essence of critical infrastructure is that owners of
critical infrastructure should never have the final say on how it is used and
especially how it is secured. This is because, by definition, the general
public has a “stake” in critical infrastructure, even if it’s owned entirely by
private parties.
Of course, everyone in the
electric power industry is already well aware of this fact. If they do
something wrong and there’s an outage, that isn’t just an internal problem. It
needs to be reported to NERC, the federal, state and local governments, etc.
Depending on what happened, there may be press reports, a fine or other public shaming.
Probably the most important “gift”
that comes with owning critical infrastructure is the regulation that comes
with it. Electric utilities are regulated by NERC, FERC, the PUCs and other
regulatory bodies. Even though some of the regulations are overdone, all of
this can be thought of as the public taking steps to guard its stake in
critical infrastructure.
Of course, electric utilities aren’t
unique in this regard. Oil refineries, natural gas pipelines, water treatment
systems, chemical plants, transportation systems, banking, telecom and other
industries all operate critical infrastructure. And they almost all are regulated
in one way or the other, including for cybersecurity.
As I was writing this, I was also
thinking about SolarWinds, and how it looks like some very bad security practices
on their part may have led to what could be the greatest disaster – outside of
wars and pandemics – ever experienced by the American people. And then I realized: SolarWinds
is as much a critical infrastructure operator as any electric utility. Their
software was used to manage the networks of many important agencies of the
federal government (in hindsight, far too many!). Moreover, by definition
network management software has to hold the “keys to the kingdom”: credentials
for network infrastructure devices like routers, switches and firewalls, as
well as an open pathway to control servers and workstations through those devices.
Of course, two weeks ago I would
never have dreamed of calling SolarWinds a critical infrastructure operator. Even
if someone had told me they had bad security, I would have said that’s
basically their problem. I would have said this, even though I certainly knew
that their poor security could lead to customers getting breached (e.g. as happened
to Delta Airlines, who lost close to a million credit card numbers when their
web site was penetrated by attackers, who used a backdoor that had been planted
in recently purchased chatbot software they had deployed on their web site).
Obviously, there are lots of other
companies, like software developers and other service providers, who have been
breached – and those breaches have resulted in customers and other third
parties being breached as well. One good example of this is Equifax, who lost
control of the personal information of about half the adults in the US in 2017.
When something like that happens, there’s lots of speculation about what will
happen to the company’s stock price, or whether they’ll even survive as a going
concern (some companies have gone under because of a cybersecurity breach). There’s
even more speculation about the size of the settlement the company will make
with its customers – with the presumption that once that settlement is agreed
to, the incident is over and the company can begin to heal and grow again.
Because SolarWinds software managed
the networks of so many important government agencies, and because the Russians
had 6-9 months to root around in those networks, exfiltrate data and plant
malware, it is likely the total cost of these breaches will never be known; but
it will definitely be in the billions of dollars.
So there’s no question that this
is no longer SolarWinds’ problem; this is the US taxpayer’s problem. Maybe
there will be a settlement that will allow SolarWinds to stay in business;
maybe there won’t, and SolarWinds may have to go through bankruptcy, be sold
for a song, or liquidated. But none of those alternatives will come close to
making taxpayers whole.
Clearly, SolarWinds was in fact a critical
infrastructure operator, since the operation of a lot of the federal government
depended on their good governance – and that proved elusive. What other service
providers and software companies are in their position? I’m not sure – probably
not many. Unfortunately, the Russians seem to have identified perhaps the
single most critical of all critical infrastructure providers – long before we
did.
There needs to be cybersecurity
regulation of all critical infrastructure organizations, not just the ones who produce
and transport natural gas or electric power.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would
love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment