How could you not “think infrastructurally” about cybersecurity, you ask, since it is first and foremost an infrastructure, and a very critical one at that?
Here, though, I focus on five inter-related points about cybersecurity-as-infrastructure that don’t get as much attention as I think they deserve in the energy/water/telecoms literature with which I’m familiar.
–In no order of priority:
1. An assumption is that cybersecurity connects critical infrastructures, i.e., failure of security in one (e.g., a ransomware attack) can well have knock-on effects for other infrastructures dependent on it. Examples are frequently cited. Yet the empirical literature on infrastructure cascades suggests that disruptions in one infrastructure are often managed by real-time control operations so as not to disrupt interconnected infrastructures. These saves need to be recorded and learned from as much as cybersecurity failures and their lessons.
2. Many configurations of interconnectivity exist between and among infrastructures. A number of these are not tightly coupled and complexly interactive and do not cascade “on their own”. Once you understand this, you understand why some cascades look considerably less instantaneous and unmanaged than assumed. For example, one interviewee underscored how a ransomware attack on an important city infrastructure was contained so as not to affect other units and their real-time operations within that department.
No guarantees, of course, but a clear question has to be to what extent is this real-time management response capacity undermined by (premature?) cybersecurity software equivalents to guns, guards and gates.
3. Another assumption is that the cyber-attackers know what they are doing–as if they were as reliable as the infrastructures they attack. We hear and read far less about those cases where the hackers can’t control or otherwise manage their attacks. They too must cope with unintended consequences, and not just because they may be failing more than succeeding:
A study of 192 cyberattacks by national governments found that Russia ‘fails much more often than it succeeds’ at hacking, and that even its victories have provoked self-defeating countermeasures. After enduring a denial-of-service attack from Russia in 2007, Estonia significantly boosted its defences, which now serve as the basis for NATO’s cybersecurity strategy.https://newleftreview.org/issues/ii133/articles/joy-neumeyer-russia-by-numbers.pdf
4. Much more attention needs to be given to what the different professional orientations within an infrastructure, which can be quite significant for cybersecurity. The “cultural divide” is well known and documented between seasoned control room operators, system engineers, and IT staff with respect to infrastructure security. Those who design or run operational systems have had quite different views about new software introductions and patches introduced by the respective IT units.
5. If, as some argue, cyber-attacks on critical infrastructures are special not only because they portend catastrophic physical destruction but also because they undermine confidence and trust in the public and private sectors to protect what society considers vital services, then societal dread of these attacks becomes a central focus. Dread might well reduce confidence and trust, but we would expect a society-wide dread also to increase pressures on those public and private infrastructures to be more reliable.
How this works out is an empirical question, e.g., dread of medical error hasn’t been sufficient to make hospitals high reliability organizations. Clearly context matters, however: “I’m more concerned about that [cybersecurity related to facilities control] right now than I am about a big earthquake,” a district infrastructure director told us. “It’s a daily threat,” said a state roads emergency manager of cybersecurity.
–To sum up, it’s been my reading and experience that prevention of cyber-attacks is almost always seen as a technology and design challenge, rather than very much a management challenge as well. Critical infrastructures are socio-technical systems—and without infrastructure control rooms or their equivalent, society wouldn’t have any kind of platform with which to cybersecurity seriously in real time.
If this is correct, then it’s at the intersection of the technology and the management that we should be focusing on when considering infrastructure cybersecurity in real time. For example, while rarely discussed as such, “thinking infrastructurally about cybersecurity” means taking obsolescence–both in equipment and in management skills and not just with respect to cybersecurity software–much, much more seriously.