–In no order of priority:
1. It’s commonly assumed cybersecurity is a special concern for interconnected critical infrastructures: Failure of security in one (e.g., a ransomware attack) can well have knock-on effects for other infrastructures dependent on it. Examples are frequently cited.
Yet the empirical literature on real-time infrastructure operations indicates that disruptions in one infrastructure are often managed by real-time control operations so as not to disrupt the interconnected ones. Not always, not every infrastructure, but often enough not to be ignored. These saves need to be recorded and learned from as much as cybersecurity failures.
2. Interconnectivity is configured in many ways between and among critical infrastructures. These configurations are not all tightly coupled and complexly interactive and do not cascade “on their own.”
More, some interinfrastructural cascades look considerably less instantaneous and unmanaged than presumed. For example, one interviewee underscored how a ransomware attack on an important city infrastructure was contained so as not to affect other units and their real-time operations within that department.
No guarantees, of course. It has to be asked, however, to what extent is this real-time management response capacity undermined by cybersecurity software promised (prematurely) as the digital equivalents to guns, guards and gates.
3. Another assumption is that the cyber-attackers know what they are doing–as if they were as reliable as the infrastructures they attack. We hear and read far less about those cases where the hackers can’t control or otherwise manage their own attacks. They too must cope with unintended consequences, when they may be failing more than succeeding:
A study of 192 cyberattacks by national governments found that Russia ‘fails much more often than it succeeds’ at hacking, and that even its victories have provoked self-defeating countermeasures. After enduring a denial-of-service attack from Russia in 2007, Estonia significantly boosted its defences, which now serve as the basis for NATO’s cybersecurity strategy.
https://newleftreview.org/issues/ii133/articles/joy-neumeyer-russia-by-numbers.pdf
4. Significantly different professional orientations within an infrastructure exist with respect to cybersecurity. The “cultural divide” between seasoned control room operators, system engineers, and IT staff is well-known. Those who run operational systems have had quite different views about new software and patches introduced by the respective IT units.
5. Cyber-attacks on critical infrastructures are said to be special not only because they portend catastrophic cascades but also because they undermine confidence and trust in the public and private sectors that these vital services can be reliably protected. Where so, societal dread of these attacks moves center-stage. Although it might reflect reduced confidence and trust, we would expect a society-wide dread also to increase pressures on those public and private infrastructures to be more reliable.
How this works out is an empirical question, e.g., dread of medical error hasn’t been sufficient to make hospitals high reliability organizations. Context clearly matters here: “I’m more concerned about that [cybersecurity related to control facilities] right now than I am about a big earthquake,” a district infrastructure director told us. “It’s a daily threat,” said a state roads emergency manager of cybersecurity.
–So what?
Prevention of cyber-attacks is almost always seen as a technology and design challenge rather than very much the management challenge it also is. Critical infrastructures are socio-technical systems—and without infrastructure control rooms or their equivalent, society wouldn’t have any kind of platform with which to cybersecurity seriously in real time.
At least one very important implication for policy and management follows: While rarely discussed as such, “thinking infrastructurally about cybersecurity” means taking obsolescence–both in equipment and in management skills and not just with respect to cybersecurity software–much, much more seriously.
WHEN COMPLEX IS AS SIMPLE AS IT GETS 