Cybersecurity Measures: Protecting National Infrastructure

By Dr. LaLanya Fair  |  11/27/2024

A major cybersecurity attack on our nation's critical infrastructure can destroy our ability to protect ourselves from threats and cause significant harm to the U.S. economy and to U.S. residents. As a result, it is essential to use different cybersecurity measures to anticipate security vulnerabilities and protect ourselves from attack from our cyber adversaries.

What Is Critical Infrastructure?

In the U.S., the list of critical infrastructures is long. The National Infrastructure Protection Plan involves multiple critical infrastructure sectors, including:

• Energy
• Financial services
• Food and agriculture
• Emergency services and health systems
• Postal services and shipping
• Transportation systems
• Communications

What Makes an Infrastructure Critical?

Infrastructures are considered critical when they meet a specific level of importance to the national interest. In other words, the goods or services those infrastructures provide are vital to national security, economic strength, and our daily lives.

Any disruption to these infrastructures would impede the flow of crucial goods and services. U.S. citizens would experience hardships or government or financial operations would be delayed.

Computer use is a daily necessity in business and government, so protecting computers, networks, and software is essential. Imagine, for example, that malicious attackers went after the software controlling transportation systems prior to your daily commute or an important trip. Traveling by train, bus, or airplane could be delayed or canceled.

Similarly, imagine that the software controlling your bank’s financial systems, including ATMs, encountered a virus. How would you manage without having a bank or ATM to use for a week or more?

There are three major criteria that are necessary to define a critical infrastructure.

First, how necessary is the infrastructure is daily life? Many countries include heritage sites, archives, and monuments for that reason.

Second, how dependent is that critical infrastructure on physical infrastructure? The telecommunications networks and electricity grid, for instance, rely on towers and power stations.

Third, is that critical infrastructure dependent upon other infrastructures? For instance, if transportation systems and financial systems were hacked, that could interrupt emergency services, traffic signals, and healthcare services.

Cyber Weapons Have the Potential to Cause Major Disruption in Our Lives

The use of cyber weapons is an attractive option for many attackers. They are low-cost and effective, and cybersecurity vulnerabilities are present in most computer networks.

The effects of a cyber weapon could be equal to a torpedo or a nuclear bomb. An adversary using a cyber weapon could also amplify the effect of a traditional weapon like a bomb by launching a cyber attack at the same time.

“Digital Pearl Harbor” is a term that surfaced around the mid-1990s, a time that corresponded with the commercialization of the internet. The term “Digital Pearl Harbor” refers to scenarios where hackers could force cities into complete blackness, poison water and food supplies, crash airplanes, and open floodgates.

Currently, no cyber-attack has reached this level of devastation. However, there have been smaller, impactful cyber attacks such as the Colonial Pipeline hack.

Industrial control systems are complex and connected to critical operations. The software these systems use is intricate.

However, it is hard to predict the vulnerability of these industrial control systems and how our daily lives would be affected. The only way to know with certainty is if a hack occurred and if the critical infrastructures were or were not affected.

How the Information Age Has Changed the Meaning of Critical Infrastructure

In the information age, traditional critical infrastructures become information infrastructures because they incorporate the use of computers and networks.

There have also been new critical infrastructures developed that are solely information infrastructures. For example, there are computerized databases that contain important information, such as:

• Technical and scientific intellectual property
• Records of funds and transactions in banking systems
• Programmed software that handles business processes and various production processes

Information infrastructures are considered critical infrastructure. Disrupting their processes would lead to a huge socio-economic crisis. A society’s stability could be undermined, and there would be security, strategic, and political consequences.

Different countries define critical infrastructures in different ways. But virtually all critical infrastructures depend upon servers and software, which in turn affect physical systems. If those servers or software were attacked, there would likely be widespread damage.

The Three Types of Infrastructure Failure

According to scholar Lior Tabansky, infrastructure failure falls into three classes:

• Common cause failure: This type of failure is due to a single cause. For example, various facilities such as fuel storage tanks, airports, and power stations that are close together are likely to be harmed from a single flood. However, it is hard to imagine a cyber-attack that would directly cause a failure of this type.
• Cascading failure: The disruption of a computerized control system in one critical infrastructure sector (such as water) leads to the disruption of a transportation infrastructure (flooding of a train line). The flooding of the train line would interrupt a third infrastructure (food), because food products could not be shipped on train cars. A cyber-attack could directly cause this type of infrastructure failure.
• Escalating failure: The disruption of one infrastructure (for example, a communications company's network) harms the effort to fix other infrastructures that have been damaged by another attack (emergency services, federal government, or commerce). A cyber-attack could cause this type of failure.

Preventing and Overcoming Cyber Threats

Combating the threat to critical information infrastructures will take multiple strategies, involving areas such as:

• Deterrence
• Prevention
• Attack identification
• Crisis management
• Attack response
• Damage control
• A return to full function

There are three main ways to defeat threats to national security infrastructures and manage risks. They are divided into three distinct levels: tactical, strategic, and operational levels.

However, there needs to be a highly detailed national policy that involves protecting critical infrastructure in conjunction with the National Infrastructure Protection Plan. If that policy is going to be relevant, it will need to consider the engineering, social, organizational, economic, and even political aspects.

Finding Cybersecurity Measures to Combat Attacks on Critical Infrastructure

Hardly a day goes by where there is not a story about a security breach or customer information leak in the private sector or the public sector. These events are becoming more frequent as cyber attackers find vulnerabilities and exploit them, whether for personal gain, ego, or sheer maliciousness.

Any protection that will benefit U.S. infrastructures must include cross-organizational strategies that support international partners, as well as both domestic and international investigations.

Systems engineering of computerized systems must include one essential activity, risk management. According to scholars John M. Borky and Thomas H. Bradley, an exceptional risk management system includes:

• Risk identification
• Risk assessment in terms of probability of occurrence and consequence of occurrence
• Identification of risks requiring mitigation
• Planning and budgeting for risk reduction activities
• Tracking the progress of risk mitigation until a risk is retired or a decision is made to accept it

This high standard makes developing public policy difficult, considering the limitations on public service and the required level of strategic focus in the private sector. However, state governments are learning to include cyberspace protection along with protection of their physical spaces. But critical infrastructure protection and cyber resilience are still difficult.

The internet is seen as one large infrastructure by some attackers with cyber weapons, but the internet is a worldwide network. An attacker may have a plan to attack one country, but that action could have consequences for several international partners around the world.  

Originally, the internet was built with vigorous defenses. Its purpose was to withstand a nuclear exchange between the United States and Russia.

When the internet was built as a wide area network, the idea was to have it reroute information, even if parts of the system were destroyed due to cyber incidents. The internet is purposely decentralized and multilayered but can still function even when its capability has decreased and data transfer is slow.

Even with all the safeguards and plans put in place, some of the internet is vulnerable to cyber incidents. In 2002, for instance, there was a massive Distributed Denial of Service (DDoS) attack on the roots of the internet. The attack was aimed at the 13 root servers that control the addresses of the entire internet network.

The attack forced eight of the 13 root servers offline. The attack on the Domain Name System (DNS) system did not noticeably degrade Internet performance and went unnoticed by most of the public, but had it continued for a longer period (and if the perpetrators remained undetected) there could have been a significant slowdown in internet traffic.

After this incident, the internet’s cyber defenses were fortified and dispersed to different locations with new techniques for routing data and updated software. Now the internet is more challenging to damage, but the risk to individual private-sector organizations, cities, and state systems remains vulnerable.

Mitigating Risk and the Difficulties of Maintaining Critical Infrastructure Security

Mitigating the risk to critical infrastructures is complex. Data breaches today cost millions of dollars and threats to cybersecurity are doubling every day, especially in the private sector. Most data breaches can be attributed to the eight most common vulnerabilities.

Physical security is a consideration for both private-sector organizations and government agencies as well. Many private-sector organizations benefit by limiting access to rooms or buildings with critical servers, so that an internal attacker such as a disgruntled employee cannot interfere with online processes. Most federal government agencies also have this type of physical security.

Most attacks are external. Often, attackers are successful due to a user mistakenly clicking on an unsafe link, which opens a door for the attacker. In fact, most smart phones and popular applications that people commonly use are so weak they do not even encrypt Social Security numbers.

Most of these simple cyber attacks could be thwarted with readily available defenses that are cost-effective, but the public is either not tech-savvy enough or just does not understand how dangerous cyberthreats threats can be. Most protective patches could be deployed and resolve threats within hours; however, it is still taking us months, sometimes years, to protect our devices.  

Ransomware attacks are a difficult problem to solve as well. They have cost some companies millions of dollars. 

Businesses have many different security threats to contend with. Along with loss of customer data and ransomware attacks from malicious cyber actors, they have the threat of fraud and the potential loss of proprietary business secrets.

Private-sector stakeholders should take the time to understand their vulnerabilities to cyber criminals and make a plan to eliminate or reduce them. They also need support from local, state, and federal governments to develop a consistent process for cybersecurity assessments and incorporates several organizations. There should also be a federal government strategy to focus on the few networks of real concern.

Having a more effective cybersecurity strategy developed at the federal level should allow for the creation of a centralized repository of information. Not only could data on cyber threats, attacks, and malicious cyber actors be gathered and maintained in one location, but security solutions could be stored there as well. Safety measures could be distributed nationally, enabling businesses with limited budgets with access to useful cybersecurity resources and tools.

Using federal cybersecurity resources would decrease the amount of time it takes to improve computer systems and mitigate opportunities for an attacker to take control of computer systems. An agency that offers this type of protection would reduce anxiety among the public regarding cyber crime and potentially provide an opportunity to better educate everyone on cyber threats (such as identity theft, suspicious emails, and scams) and how to recognize them.

Cybersecurity Degrees at American Military University

For adult learners interested in various aspects of cybersecurity such as cyber warfare, information assurance, intrusion detection, incident handling, effective cybersecurity practices, and the protection of critical infrastructure, American Military University (AMU) has several degrees:

• An online associate degree in cybersecurity
• An online bachelor’s degree in cybersecurity
• An online master’s degree in cybersecurity studies

Taught by experienced instructors, courses in these degree programs include computer forensics, operating system hardening, cryptography, red and blue team security, and penetration testing. Other courses involve administrator scripting languages, cyber warfare, database security, and advanced cybercrime analysis.

To learn more about AMU’s cybersecurity-related degrees, visit our information technology degree program page.