Protecting physical infrastructure with cyber
DHS' Suzanne Spaulding stresses that, in order to protect the physical infrastructure on which our nation depends, government and private sector alike must bolster cybersecurity.
The National Protections and Program Directorate's reorganization is still awaiting congressional approval, but the under secretary for the Department of Homeland Security's cyber division has a clear sense of mission, and a clear message to agencies and companies preparing for cyber threats: the way to minimize physical consequences to critical infrastructure is by prioritizing a "holistic" view of cybersecurity.
Speaking at the MetricStream GRC Summit April 27, Suzanne Spaulding said that preventing "devastating" physical consequences to America's most critical infrastructure relies on a strong cyber front.
"When a lot of people think of infrastructure, they think of roads and bridges… But it is so much more than that," said Spaulding. "It's so easy to cede [cybersecurity] to the technical folks and to put this in a stovepipe, that it's only about IT systems and networks, when really it has to be a part of that broader conversation about that functionality within those critical infrastructures."
Spaulding cited the hacking of the Ukrainian electrical grid as a "watershed" real-world example of cyber threats posing physical consequences for infrastructure on which citizens depend.
"We saw for the very first time a cyber attack that brought down critical infrastructure upon which civilian populations depend," she said of the attack, which resulted in power outages for over 225,000 Ukrainians. "But the methods used were not all that sophisticated. We know how to mitigate those."
Spaulding estimated that "90 to 95 percent" of malicious cyber activity, mostly stemming from social engineering and spear phishing, could be solved by basic cyber hygiene, and quickly resolved by being prepared for the "what if" in the event of a cyber attack.
She applauded the preparations in place that allowed Ukraine to restore power "in six hours," despite the widespread effects of the grid hacking.
Spaulding also said the DHS division's name change, to Cyber Infrastructure Protection, is more than mere verbiage. She contended it represents a shift towards being an "operational component" of DHS. This reflects the "activity we are now taking every single day all across the country… to better manage risks and our focus is on enhancing the security and resilience of our nation's critical infrastructure," Spaulding said.