critical infrastructure security information technology

Synopsis Because the majority of critical infrastructure components in the United States are privately owned, compliance with Department of Homeland Security risk assessment methods remains voluntary. Risk assessments of critical infrastructure focus on threat, vulnerability, and consequences, with all types of assessments integral to helping improve resilience and mitigate problems (GAO, 2017). A vulnerability analysis of the nation’s information technology critical infrastructure reveals several points of weakness and security gaps. The Department of Homeland Security (2018) infrastructure survey tool can be used alongside the systems dynamics approach to vulnerability assessment.

These tools reveal the inherent strengths of complex, interdependent information technology systems, while also revealing the potential weaknesses in a decentralized approach. Executive Summary Two of the most salient methods of conducting vulnerability assessments on critical infrastructure include the opt-in survey offered by the Department of Homeland Security, which targets the physical facilities, and the systems dynamics approach. Information technology is a unique critical infrastructure in that it includes both a physical, concrete component (such as hardware) and an abstract, information-based core content.

Therefore, combining a systems dynamics approach with the DHS survey tool reveals the particular vulnerabilities evident in the information technology critical infrastructure. Strengths include the prevalence of some open systems and dynamic communications methodologies, plus advanced physical security defense mechanisms. Identifiable weaknesses include inconsistent risk assessment and mitigation methods, and the risks with private sector knowledge leakage. Cyber threats remain a major vulnerability. More information would be needed before a more thorough risk assessment could be conducted.

Introduction Information technology is one of the nearly twenty critical infrastructure component the Department of Homeland Security recognizes. The DHS offers specific strategic planning interventions for these sectors, with voluntary compliance expected and counted upon to preserve national security interests. Hardware manufacturers and the members of their supply chains, software developers, and service providers all fall under the general rubric of information technology critical infrastructure (GAO, 2017). Various vulnerability assessment methods can be used to evaluate the nation’s information technology critical infrastructure.

One assessment tool is the Infrastructure Survey Tool offered by the Department of Homeland Security. This tool is a web-based security survey that focuses mainly on physical facilities and is therefore limited in scope. A systems dynamics approach uses “stocks, flows, and feedback loops” to account for the complexities of information architecture (Deng, Song, Zhou, et al., 2017, p. 1).

Rather than viewing systems dynamics and the Infrastructure Survey Tool as being discreet, mutually exclusive entities, combined they offer the opportunity to identify security threats before they morph into crises, and the chance to make necessary changes to institutional structure, policy, leadership, and practice. Details Infrastructure Survey Tool The Department of Homeland Security offers the Infrastructure Survey Tool for chief security officers, facility managers and operators. As a web-based survey, the tool is accessible and cost-effective.

The Department of Homeland Security (2018) recommends that the Infrastructure Survey tool be used regularly and in conjunction with Assist Visits to identify vulnerabilities and address them accordingly. Focusing on physical vulnerabilities in a facility, the survey addresses issues like perimeter and property security but also channels of information sharing and communication, threat response protocols, and recovery plans (Department of Homeland Security, 2018). Because of the fragmented nature of the nation’s information technology infrastructure, each individual enterprise needs to voluntarily conduct the Infrastructure Survey Tool.

Applying the tool broadly across all components of the critical infrastructure reveals several vulnerabilities, particularly with regards to inconsistent communication plans and protocols. Hardware manufacturers present some of the clearest security vulnerabilities, when viewed through the lens of the DHS survey. One of the reasons for the vulnerability is the lack of vertical integration of many companies, and the heavy reliance on foreign manufacturing for various parts and components.

Unless manufacturing processes are monitored in a way that also uses systems dynamics, it is possible for security breaches to occur at almost every level of the manufacturing process. At the same time, all private sector information technology companies have in place at least a fair degree of vulnerability prevention strategies to safeguard valuable and sensitive data and preclude the possibility of security breaches. Access to strong human resources options helps security managers better identify, manage, and control threats in multiple information technology departments.

Systems Dynamics The Systems Dynamics approach takes into account the complexity of dynamic information technology systems. Information systems are defined by their dynamic nature. The external forces of privatization, deregulation and liberalization have made information technology infrastructure increasingly complex and dynamic (De Bruijne & Eeten, 2007). Therefore, a systems dynamics approach is useful for identifying specific vulnerabilities, even when using a strengths-based approach to analysis and intervention. Using a systems dynamics assessment method, the information technology critical infrastructure of the nation is moderately vulnerable.

There is no standardized means of screening applicants or monitoring personnel, and nor is there industry-wide protocol for information security. The private sector relies on human factors to a greater degree than would be tolerated in other sectors, even with the increased use of artificial intelligence systems for security management. Inadequate training in security—both physical and information security—is a main weakness of this critical infrastructure (Stamp, Dillinger & Young, 2003). However, gateways, restricted access protocols, and similar methods do help maintain a security hierarchy in most organizations.

Core strengths of the information technology sector with regards to threat analysis include the relative freedom of information flow and interdependency of information systems. Summary As critical infrastructure, information technology is not as vulnerable as it could be. Physical vulnerabilities are few, with the greatest weaknesses being in the realm of foreign manufacturing and any area in which monitoring and control is less reliable. Because the private sector dominates the critical infrastructure, the DHS counts on voluntary compliance with recommended best practices.

Therefore, companies making decisions for financial expedience may sacrifice security. Perimeter and grounds security and other physical protection protocols, such as improving resilience in the face of a natural or terrorist disaster, are relative strong points for this critical infrastructure. Cyber threats are of course predominant in the information technology sector, but because the sector also has at its disposal a wealth of human resources, specific vulnerabilities can be readily addressed and mitigated. Information sharing and communication is also strong, considering the fragmentation of this sector.

Conclusion Information technology is fast becoming the hub of all critical infrastructure, the node upon which all other components depend fully. Banking, chemicals and energy, and telecommunications all depend on the physical and network security of the information technology sector. Therefore, identifying.