Critical Infrastructure Security and Resilience - Today and Tomorrow
The Cybersecurity and Infrastructure Security Agency's mission is extensive: to help secure the nation's critical infrastructure from physical and cyber threats, and to create a more secure and resilient infrastructure for the future.
“Today, as we evolve from a post-9/11 anti-terrorism mission, we are focused on new threats, including threats to our critical infrastructure, to soft targets in crowded places, as well as nation state threats to our key cyber systems and election infrastructure. We are very mindful of the more traditional threats, but we are also very aware of emerging threats. As our nation’s risk advisors, we must analyze what is coming next and understand the risks associated with new threats,” says Brian Harrell.
Harrell is Assistant Director for Infrastructure Security within the new DHS Cybersecurity and Infrastructure Security Agency (CISA). In addition to the Infrastructure Security Division, there are four additional divisions: Cybersecurity Division, Emergency Communications Division, National Risk Management Center and a Stakeholder Engagement Division.
CISA’s mission is extensive: to help secure the nation’s critical infrastructure from physical and cyber threats, and to create a more secure and resilient infrastructure for the future. It relies on partnerships and a national outreach across the private and public sectors, and delivering technical assistance and assessments to federal stakeholders, as well as to infrastructure owners and operators.
Five Key Areas
Harrell has vast knowledge of critical infrastructure security, with previous roles as Managing Director of Enterprise Security at the Duke Energy Corporation and Director of the Electricity ISAC and Director of Critical Infrastructure Protection Programs at the North American Electric Reliability Corporation (NERC), where he was charged with helping protect North America’s electric grid from physical and cyber-attacks. He was appointed by President Trump in December 2018, shortly after the legislation creating CISA was signed into law, as the first Assistant Director for Infrastructure Security.
“With a name like the Cybersecurity and Infrastructure Security Agency, the value proposition is inherent,” Harrell says. “People know what we bring to the table and they are seeing their products and services on a regular basis. We are trying to gravitate towards where the threats are, while meeting industry halfway to put tools into their hands that they can use to mitigate risk.”
Harrell notes that while CISA’s mission is vast, it is focused on five key priorities. The first is the risks to the critical supply chain, which includes risks associated with 5G and Chinese espionage. Second is protecting federal networks in the .gov systems throughout the United States.
The third is industrial control systems or SCADA systems, which are used to control electricity, and to provide clean water and vital chemicals. To mitigate that risk, Harrell advocates for an integrated approach to addressing physical and cyber convergence. “We see a gravitation towards the understanding that physical security, cybersecurity and emergency management have a common nexus,” he says. “Physical threats can impact cyber operations. Intrusions into our cyber systems can potentially be the enemy avenue of approach to shutting down IP-based cameras, access control systems or safety systems for our critical infrastructure.”
“We have seen a number of attacks where attackers are in the folds where no one is looking, so without a converged program, you may be running undue risk,” he adds. “It is no longer good enough to meet with a cyber team every Tuesday. The programs must be in lockstep, coordinated and functioning with full situation awareness. To have silos is no longer good enough.”
The fourth area is soft targets and crowded places, including schools, houses of worship, festivals and other places where people gather. “Since coming to CISA back in December, this has really been my number one priority,” Harrell says. “Quite frankly, I’m simply following the current threat landscape and the weekly headlines. There is a small segment of society that is hate-filled, bigoted and they want to hurt the most innocent among us. Attacks such as the Pulse nightclub, the Pittsburgh Tree of Life Synagogue and the Las Vegas country concert really demonstrate that attackers are looking for those soft targets in crowded places.”
The fifth area is election security. “We know and understand that the Russians were active in 2016 with respect to influencing our opinions on certain topics,” he explains. “They are interested in exploiting any avenue, whether through probing our election infrastructure for potential weakness, or dividing public opinion by using fake social media accounts to instigate race baiting and motivating certain hate groups. Knowing this, we have worked to share security best practices and to help create an election Information Sharing and Analysis Center, which is the central information sharing hub for the election subsector. As threats materialize and we see them in the federal space, we push out alerts. Information sharing is part and parcel to threat mitigation. We are absolutely going to be ready for the presidential election in 2020.”
An additional area for Harrell is insider threat mitigation. “Individuals within companies have solid and institutional knowledge as to how to bring a company to its knees,” he says. “They may have the keys to the kingdom and unescorted access to the crown jewels. They can destroy key system components or steal proprietary or customer data from an enterprise. Therefore, knowing and monitoring the actions of employees is critical. I believe that investing in an insider threat program is worth its weight in gold and may stop or mitigate an attack before it starts. I suggest investment in an access control system that highlights potential access probing, or using software that alerts you when proprietary information, trade secrets, customer data or sensitive information leaves your system and goes to a personal account or even overseas. Those investments go well beyond traditional background checks.”
Overall, Harrell would like the public and private sector to see CISA’s Infrastructure Security Division as a trusted partner to mitigate physical and cyber risks. Its resources are vast, and all of them are free of charge to stakeholders. For example, a Hometown Security site at www.dhs.gov/cisa/hometown-security has resources for communities related to soft target security, such as active shooter preparedness and school safety. For insider threats, a video is available at https://www.dhs.gov/cisa/insider-threat-mitigation with mitigation steps. For the physical cyber and foreign influence aspects of election security, the CISA Protect 2020 site at https://www.dhs.gov/cisa/protect2020 offers infographics, reports and more.
“My vision is simple,” Harrell says, “to create relationships under blue sky conditions and not under crisis; to provide expertise and a roadmap for what good security looks like; to share threat information back and forth and be timely with it; and to exercise incident response and recovery and to help when a target does get hit.”