November is Critical Infrastructure Security & Resilience Month - so what does that mean to you? To me - it means make a difference where you can.
So what does this nebulous term actually mean? Critical infrastructure is comprised of all the services we depend on for daily life like power, water, health, transportation and banking. Sadly, these are also things we tend to take for granted thanks to the many hardworking souls who dedicate their careers to ensuring they work correctly.
Security and resiliency have become priorities for the larger critical infrastructure organizations, however there are hundreds of small organizations who do not possess the resources to properly address security issues. Small municipal power and water companies and co-ops are typically focused on their core mission - providing reliable service for the smallest overhead allowed. In my experience, the engineers and techs employed by these organizations do an amazing job of providing these services in a safe, reliable, and cost effective manner. They are as concerned about keeping things running as you are, but they have a different view on that world than you.
This difference in viewpoints can result in decisions which a security pro would never consider. The goal is to provide the service in a safe, reliable manner. Our job is to help people understand how security is an integral part of safety and reliability. And how it can all be undone by just a few innocuous choices. Putting a meter or controller on the internet instead of paying thousands of dollars for private communication seems like a no-brainer. Grabbing the little four port switch at the local Walmart to replace a failed switch seems like a fast way to get the job done. Using the same laptop for your email and programming RTUs just makes sense economically. Or do they?
That meter sitting on the internet has a disconnect collar attached to it, and its running an unpatched libSSH daemon. How long until someone pops a shell and accidentally shuts off power accidentally? What if that meter provides power to the water pump providing pressure to half of a small town? Or what if that Walmart-grade switch the technician grabbed is actually a cheap wireless router? And that wireless router now ties all of the communication together for a town’s power substation? How long until someone connects to the wireless router’s wifi in search of free internet?
These are all scenarios based on things that I’ve encountered over the years given to present one point: just a passing thought given to what could go wrong could prevent most of these. But we cannot expect the folks making those decisions to have the skill set to make these calls without helping them to learn it. Never hesitate to spend a few extra minutes chatting up a tech about the security risks out there. If you know of an organization that needs help with security, try to help. After all, it could be your water supply that you make a bit safer.