Complexity on Complexity: Connected Communities, Critical Infrastructure, and Refreshing Salads
Strategic Cybersecurity - Expert Commentary
This is the third installment in our series on technology convergence, cybersecurity, and the implications for policymakers. You can read the first post here and second post here.
Key takeaways
- Much like how a combination of ostensibly unrelated ingredients can result in a delicious salad, U.S. critical infrastructure coalesces disparate parts to form the public services and functions that we have come to rely on
- No critical infrastructure sector matters more than another but they do vary in function and impact
- In municipal environments, there is a defined set of services (i.e., water, sewage, etc.,) that feel increased pressure as these cities and towns grow. City officials will seek to optimize the delivery of these services to save money and expand their reach
- Technology companies are capitalizing on this municipal need with all-in-one connected community solutions that make these architectures vulnerable to cascading effects if a breach occurs
- Therefore, community leaders are deploying architectures that lack interoperability on top of the infrastructure sectors that matter most to them (proportionate impact)
- To address this risk, policymakers must develop Protocol Layer Security Standards and a new Policy Framework to guide decision making processes on how to integrate connectivity into service delivery, particularly within critical infrastructure sectors
What do refreshing salads and critical infrastructure have in common?
Have you ever had a refreshing summer salad on a warm day? I had one once that featured kale, pistachios, and pomegranates as its main ingredients. The more culinary inclined among us might find that combination obvious, but I can recall being surprised at how a combination that was not obvious to me resulted in such a fine dish. In the same way, U.S. critical infrastructure brings together somewhat disparate parts and creates a set of services that are now viewed as so important that they command special attention to ensure they are not denied or disrupted. This is another kind of convergence. The same way that a connected community architecture can create something that is more than the sum of its parts, critical infrastructure is much greater than the electric grid or our dams alone. It all coalesces to create the public services and functions most important to our operations, security, and economy.
Certain sectors impact certain populations and geographic areas more than others, but we wouldn’t want this to be too easy, right? We know what’s important but protecting it is another matter. In this post, we will explore the idea of layering technology on top of critical infrastructure and how it can impact the refreshing taste of our public service salad.
If you are anything like me, you might like certain parts of a salad better than others. I’ll admit that I’m less of a fan of kale but I also recognize that I SHOULD eat it because it is good for me. The pomegranates are fantastic and add a nice tang to the salad. The pistachios are my favorite and left to my own devices, I might just eat those. Just like how I eat my salad, let’s break critical infrastructure down.
No sector is “better” or “more important” than another but they are very different in their function and their impact. For example, healthcare is very broad but also very decentralized. A shortage of a vaccine in one hospital does not necessarily mean a system-wide failure. The COVID-19 pandemic strained the healthcare sector but did not break it in spite of many areas that were hit harder than others.
The electric grid is a grid (and not just a catchy name), meaning that a disruption in one place is likely to impact a large swath of the grid as a whole. It is still decentralized so when we lose power on my block, that doesn’t mean the whole state is down, though it could. Not every community is near a dam but dams are critical infrastructure. So, while some people might like the pistachios the most, others like the pomegranates. Not every sector impacts the population and geography the same way.
Here’s the rub
In municipal environments, this can be a little more organized. As a society, we’ve collectively decided that a minimum amount of public services is required for a municipality. Things like water, sewage, sanitation, electricity, and transportation are more or less features of municipalities big and small. As populations grow, the demands on these services also grow along with the desire of city officials to optimize delivery of these services to save money and reach more citizens. Enter the technology companies.
There are several technology companies that offer connected community solutions who will remain nameless here. Many of them are happy to offer you an end-to-end package of products and services to cure all your municipal ills. In the last post, we talked about what comprises a connected community; technologies like
- IoT
- AI
- Cloud
- 5G
- WiFi
- Data Visualizations
There are companies that will sell you the whole lot, sensors connected to a custom 5G network that talks to a cloud with their AI running on top of it and transmitting down to your command center and the pretty visualizations. One long, continuous, and not interoperable system that, if breached, would cause a cascading impact on your architecture. This is the first potential trap of connected communities architectures, interoperability.
Right now, there are no technology standards for how a connected community architecture is constructed. Community leaders are free to cobble together technology that makes sense for their municipal challenges in any way they choose. Commercially, it makes sense to offer the whole architecture and it is also simpler for the consumer. It’s also a dream come true for a malicious cyber actor. A lack of vendor diversity can make connected community architectures highly vulnerable to cyber threats.
Pairing poorly with the lack of technical standards is a lack of centralized policies or recommendations to help guide community leaders’ decisions on where and how to deploy their architectures. Back to the critical infrastructure discussion, different communities are impacted by different sectors in different ways. Their specific municipal challenges and the proportionate impact of specific critical infrastructure sectors will determine how that community designs their architecture. This is both good and bad because while the community is likely to deploy an internet-connected architecture on the infrastructure that matters most to them, it will also be the infrastructure that will cause the biggest disruption if it is attacked. This is the second potential trap of connected communities architectures, proportionate impact.
Let’s talk solutions
Absent technical standards and guiding policies, community leaders are deploying architectures that lack interoperability on top of the infrastructure sectors that matter most to them. This matters at the community level but at the national level, it becomes a Gordian Knot of epic proportions. Trying to decipher risk in an already complex system that is being made more complex by a growing, but inconsistent, deployment of internet-connected devices creates a salad none of us wants to eat. Building policy around such a disparate and inconsistent issue is also fraught with challenges and the potential to have the work discounted as inaccurate or not actionable. So, I suppose we should all take our pomegranates and go home?
Not so fast, POM. We can make this wonderful, yet. We need to start with two actions that should be taken immediately:
- Protocol Layer Security Standards: Just like the Matter standard for home IoT, we need an interoperability security standard for municipal IoT. The Connectivity Standards Alliance produced a standard for home IoT and we need to build on this work to expand it to municipal environments. The foundation is there, it’s a priorities issue now.
- Policy Framework: With such a broad and inconsistent problem, we need to put some kind of framing around it so we can approach a solution. Specific actions will not apply to every deployment or every municipality but we can still provide a framing for the problem that can help drive us toward actions. This will be the subject of the next post in this series.
Complexity on top of complexity is no one’s idea of a good time, especially when our security is at stake. But hey, that’s why you get paid the big money. GoTech, on the other hand, pays me in kale leaves and bags of pistachios, the ones you have to shell yourself.
Photo by Markus Spiske on Unsplash