How lackadaisical attitudes toward physical security and cybersecurity in our critical infrastructure are needlessly and absentmindedly placing our way of life in harm’s way.
To rob banks you have to really want what’s inside. As a prospective robber you must be very good at several different skills, such as disguises, welding, locksmithery, gun violence, explosives, get-away driving, perhaps tunneling … or gamble with the ole high risk, low reward Hollywood standard of just walking into the lobby and handing a note to a teller. Sometimes that works, depends on the bank.
Robbing Banks is Hard – What Good Security Looks Like
Statistics show that if you can get the money physically out of the bank, chances are (80%) good you you’ll get away with it, but getting out of the bank can be a trick these days. Bank Managers have stepped up their game and deployed several layers of defense against bank robbery. The 2021 FBI statistics on bank robbery security devices deployed is as follows:
Any one of these can seriously interrupt your bank robbery career, but probably the most effective is the physical bank itself. The vault is designed to keep the money in, and the bank lobby is designed to keep would be robbers out during off hours, but in during bank hours. Modern bank robbers have to cross the gauntlet of “Bullet Proof Man Trap”, aka Access Control Vestibule. This is essentially a cage that the freshly looted robber has to exit thru and if the tellers from behind their own bulletproof glass window hit the alarm, then the Man Trap becomes an instant waiting room for the federal penitentiary.
The robber sits inside, enjoys a floor to ceiling view, until the police arrive and extract the loot, the hand gun, and the mask, from a built in surrender hatch, while the Man Trap system emails the forensics videos and timeline logs to the police station. Factor in that the average bank robbery nets $4,800 in the US, which is not even enough to buy a get-away car. Would-be robbers are thinking twice.
Most of the banks security systems are very simple, the idea is to get just enough deterrence to encourage criminals to move on to less risky forms of crime. Applying simple diligence to the realm of bank security has led to an all-time low in the number of bank robberies. Having an obvious Man Trap in your Bank Lobby doesn’t mean the bank is safe, it just means that if you install a Man Trap in your bank you probably won’t be robbed by someone just walking in the front door. Quote me.
Such is not the case for much of our Critical Infrastructure. Even though we value our Critical Infrastructure, we have yet to invest in the “Man Trap” style defense system to protect them. Consequently, much of our Critical Infrastructure is susceptible to being robbed, vandalized, or destroyed by malicious actors who simply walk in the front door.
Pay No Attention to the Man Behind the Curtain
Critical Infrastructure is vulnerable to more than just robbery. Perpetrators of Critical Infrastructure crime are motivated by far more than money: anger, politics, revenge, misunderstandings, lack of mental wellbeing, and so on. Unfortunately, it seems vandalizing or destroying a system that the rest of us depend on is seen as a candidate to satisfy their appetite for retribution. There are many people that would brave a visible “Man Trap” but even more that would enter if all they saw was a screen door latched with a simple hook. And that to an extent is state of our Critical Infrastructure defenses: screen door latch and a sign.
Outside of Airports, which were only recently upgraded to “Map Trap” sized cybersecurity, much of our Critical Infrastructure is just sitting out in the open, with nothing more than a token amount of security. Far too often, the gist of the security is a brightly colored sign, warning the perpetrator not to proceed or they may suffer incarceration or cause severe damage to the system. Signage like this is useless, at least as a deterrent.
Warning signs are useless, ugly, and can actually be helpful to the criminal: a criminal as easily reads the following sign as an invitation, “reminder: don’t forget to disconnect the alarm system before you open this door.” Out of sight, out of mind is a better approach, and “Security by Obscurity” is a legitimate defensive technique.
How Fragile is our Critical Infrastructure?
My vision for critical infrastructure requires a clear understanding of how important it, how vulnerable it is, and what needs to be done to protect it. Once our society decides that we can no longer tolerate interruptions in basic services, then we will truly make our infrastructure a resilient, convenient, part of our surroundings. Think function meets public art: there is strong precedent for blending cell phone towers, telecom buts, into the environment. My basic point here being, don’t draw attention to sensitive systems.
It would be irresponsible of me to give specific examples of how a low skilled, highly motivated person could cause massive damage to one or more of our critical infrastructures. It suffices to say, our critical systems are wide open and easy to take down. Just look for yourself:
This Electrical Sub-station (see below) supplies power to a large neighborhood. See how there is only a chain-link fence protecting it. In general, does this look very secure? Seems to me this is about the same level of security given to a private tennis court. I’m fairly certain the fence is not electrified, that’s ironic. Nor do I think it has video surveillance or motion detectors. Seems like this substation like many of them, is tucked way, out of sight, where you could probably pitch a tent without anyone even noticing. Out of sight, out of mind – it seems easy enough for a malicious actor to break in and cause damage and put the neighborhood in the dark with all-too-easy to acquire, over the counter style arsenal.
A critical asset like this electrical substation should ideally be guarded by a secure building, surrounded perhaps “concealed” by landscaping, with reactive security systems as a minimum designed and sited with a higher level of integration into the environment, such as serving a charging station. Some expense, I’m sure, but how much to you value your toasted bread each morning?
This fiber optics pedestal supplies communications (Internet, Phone, TV) to a large neighborhood. They can be found all over modern neighborhoods, practically unavoidable by drunk drivers. They are necessary for the distribution of fiber optics and copper communications, generally considered pretty important. It is sealed shut and you need a special tool to get it open— either that or a single blow from a hammer, then a couple more whacks to destroy the connections inside.
A good rule of thumb is that if you security systems can be breached unintentionally but a drunk person, then it is not a very good security system. My opinion, is that these fiber optic pedestals should be in locked underground manholes, blast proof, flood proof, teenager proof, and since we love our Critical Infrastructure so much there should be landscaping and shrubbery abounding, perhaps an illuminated kiosk with a USB charger: useful and beautiful; instead of cheap and exposed.
With that in mind, do I even need to mention how easy it would be to create extreme mayhem at a gas station? When a single cigarette can cause such extreme damage, it seems gas stations could use a better shield than the simple security cameras with which they are equipped. The focus is all wrong: penny-wise and pound-foolish. The ideal choice for our gasoline-fuel delivery critical infrastructure is to get rid of gas as a fuel source. It is far too dangerous and toxic for us to remain so highly reliant on this outmoded form of fuel. Switch to electrical and do it fast! In the meantime, we should consider and evaluate standardized measures that can prevent disaster.
Fragile Cybersecurity Safeguards
Look at this cybersecurity system from a local municipality. Well, of course, you can’t see it as well (no image attached), but it is in the same shape that much of our the critical infrastructure security systems are in: basic security “screen door lock” only. Many of the services that are necessary for us to live (omitting the word “comfortable,” because this is not about comfort, this is about life and death) are based on IT and need to be protected.
This means that most of our critical infrastructure relies on similar hybrid infrastructure components that businesses do (such as servers and cloud storage), all of which is, unfortunately, very hackable. Now we might able to live with not being able to book a trash pickup of your broken large screen TV with your city’s sanitation department (that TV can lay out on your curb for several months with bother anyone too much. However, the backend system that scheduled those pickups, maybe on a similar network to the 911 dispatch or Fire Department GPS system.
There has already been a death attributed to a Critical Infrastructure Cyber-attack, when a hospital system was hacked and woman was denied emergency treatment (ABC7news.com). In terms of adequate defenses, many of the nice-to-haves from 5 years ago in cybersecurity (such as IPS, MFA, SSL Inspection, IAM above the basics, MSSP) have now become must-haves in the cybersecurity arms race that the Internet has become.
InfoSec and Cybersecurity Spending
Banks have largely stepped up on cyber-crime, and installed the virtual version of a Man Trap and beyond. However, cities, utilities, telecom, food, hospitals, manufacturing, and so on, are all not ready for a teenage attack or a disgruntled employee, let alone a serious nation state attack. Yes, it’s going to cost, but the cost of not spending is now far greater.
By the way, the closest cyber parallel to a physical Man Trap, would be a “Honey Pot”, where Cyber-criminals are enticed by seemingly vulnerable and delectable cyber goodies such as credit card and bank account information, but are actually tightly monitored to reveal details about their tactics, intentions, and origin. Cyber good guys also have technology for raiding the nest of thieves (do criminals hang out in nests, dens, or lairs?), called a “take down” in cyber circles. With a take down, the source of offending malicious activity is either removed from the internet or blocked from communicating.
So, where does that leave us? My point is that, when it comes to physically harming our Critical Infrastructure, a determined individual armed with a 5 lb. hammer, a hacksaw, some blueprints, and a Kia Sedona can bring a small city to its knees.
Simple deterrents are available but often not implemented. When it comes to cyber harm to our Critical Infrastructure, a similar level of un-preparedness exists. We could prevent much of the physical and cyber vulnerabilities in our Critical Infrastructure but we have not gotten serious on a large scale. The current presidential administration is finally addressing the issue from at a federal level, and has launched several initiatives to stop the hemorrhaging.
The Cybersecurity Maturity Model Compliance (CMMC) will be very helpful. This model sets the standard for cyber maturity and requires all companies in the federal supply chain to pass a cybersecurity audit that verifies multiple layers of cybersecurity have been implemented. The hope is that these federal mandates will roll out into the commercial space. Because much of the Critical Infrastructure is private and we are locked in a broken ideology based on cheap goods and services and overly conservative economics.
This prudish bottom-line approach to designing our society needs to factor in the expense of Critical Infrastructure disruptions. Talk to the Texans who lost their electricity and water for weeks in 2022, because of ridiculously un-regulated utilities that didn’t factor in the freezing temperature of water into their resiliency systems (MSN). These Texans were reduced to near stone-age existence, for no good reason.
These problems still exist. Texas politics are not even close to where they need to be to solve this issue. The US has always been susceptible to this unwillingness to invest in our society, but this dangerous shortsightedness needs to end or we will.