Ben Lane, CIPRNA event manager, met with Chris Miller, a Protected Critical Infrastructure Information Program Outreach Coordinator at Cybersecurity and Infrastructure Security Agency (CISA)
The following is a transcription of their conversation.
Nice to meet you, Chris. Tell us a little bit about who you are and how you have been involved with the annual Critical Infrastructure Protection & Resilience North America (CIPRNA) event.
Nice to meet you. I attended the inaugural CIPRNA in Cape Canaveral, Florida, several years ago. I was working for the Department of Homeland Security (DHS), for the National Programs and Protectorate Division. We have since become CISA, which is the Cybersecurity and Infrastructure Security Agency. I was in Florida to speak about the Protected Critical Infrastructure Information or PCII program.
I’ve enjoyed being associated with CIPRNA over the last several years, reviewing abstracts and being a very small part of the cog that makes the CIPRNA event what it is. Again, we’re looking forward to being out of the COVID environment, thankfully, and having a really good, and probably a rather robust meeting in Baton Rouge in 2023.
This is probably the one conference where we can get together the myriad sector personnel who come in with an agenda to talk specifically about critical infrastructure, the resilience behind it, the security, and the apparatus needed to keep it going into the future.
For those of us who work in that environment, we’re a pretty small group. Each government agency has its own way of looking at critical infrastructure and the security behind it. CISA is the one agency whose mission is to make sure we understand the risks behind the critical infrastructure. How do we help mitigate it for the government and for state local governments and for the private sector? It’s no secret that the overwhelming majority of critical infrastructure in the US is owned by private individuals or private companies, or it’s owned by the state and local governments. Obviously, there are things that hamper that and there are things that make it better because it’s in the private sector, but trying to get all of that to collate at a top level so we have an understanding of where our threats lie, both cyber and in the physical world, is ultimately the goal of CISA.
My part of it is just a little piece that helps protect the very important and very sensitive security information behind those things. It is true everything’s available on Google, but you can’t Google and find out how long a generator will run for in a power outage. How long until the wastewater treatment is back online? How long can we flush our toilets in our houses before we hamper the ability of the wastewater treatment plant to work?
What’s more important, energy or water? That’s always the age-old argument. Water’s going to tell you they’re more important, and energy people will tell you, “Well, you can’t run your wastewater treatment plan without power.” So, it goes back and forth.
PCII is in a unique place because we see critical infrastructure from the level of the nation, but we can go across every sector of critical infrastructure. My little piece of it is once we validate it as PCII, we protect that information about that piece of critical infrastructure from being released under Freedom of Information Act requests or state and local disclosure law requests.
By law, by statute, we are able to block that release of very specific security information to the public. There’s nothing wrong at all with being transparent – I encourage it, but we don’t need to let the general public know that if I go to this location in that reservoir and I precisely dump 50 gallons of poison in there, I’m now going to potentially kill 100,000 people. The general public just doesn’t need to know that. There is a modicum of trust that’s built between the government, both at the federal level and the state level, and those assessors who are out there capturing that critical information, to make it so that we all live, whether in Britain, whether elsewhere in Europe, or here in the United States, that we are living in a free society, yet still letting that way of life continue every day.
Thank you for that brief outline of what you do. So how do you or your agency view present emerging threats?
CISA views emerging threats at a very high level, both on the cyber and the physical side. We have broken CISA down into different divisions, different chains of command. The chain of command is the Integrated Operations Division of CISA, which is the responsible party along with science and intelligence. There is an intelligence arm of DHS that provides information into that, but CISA Central is within our Integrated Operations Division or IOD. That is the hub where all kinds of information flows in and out, cyber and physical. When there are emerging threats, they are the ones who have a 24-hour operation to ensure they are collating the information, capturing the information, and disseminating it to the proper personnel inside CISA, and perhaps other government agencies, so that they can take the effective measures necessary based on whatever the risk is.
For example, Colonial Pipeline happened several months ago here in the States. When that occurred, there was a cyber and a physical concern, as well as the media frenzy. Things like that would go into our CISA Central depository, and those very dedicated professionals make sure that information flows to the right people so that decisions can be made from the executive level down to a very smaller level of state or even county government to help them make proper decisions.
How about protecting against these threats, is there a comment you can give me around that?
I can. So, in terms of protecting against those threats and understanding the mitigation factors we need to look after the threat occurs and before it occurs. There are assessments that are being done on an ongoing basis, both cyber and physical, by very dedicated professionals who are either protective security advisors who will look at physical attributes of critical infrastructure, or there are cybersecurity advisors who are doing a plethora of testing, penetration testing, cyber hygiene type assessments – myriad assessments to determine where we are strong and where we are weak in our cyber networks, and again, where we are strong and weak in our physical networks.
Sometimes those lines converge on each other. The cyber and physical convergence is one of the things that CISA is leading the effort ongoing into the new year.
In a water treatment plant, in any kind of a facility where, in the past, it would’ve taken humans to turn valves or turn screws or push buttons, we now rely on the internet to do a lot of those things. So, keeping those closed networks secure, so if we have to rely on a human to go in and turn the wheels, we can still do that, but it’s much easier and much more efficient to let the computers run those things for us.
We use assessments both before and after to make sure that we are doing everything we can to either mitigate what’s already happened, and rebuild from it, or to be more resilient and ensure it doesn’t happen in the future.
Can you can give some comment around your agencies position on resilience?
Being resilient means being aware, saying something when you see something, listening to those in power to a degree when you feel you need to, but understanding that there is a trust built between what the government is saying to you, and you, as the citizen, to have some trust in the knowledge we are being resilient; we are conducting assessments; we are looking forward to the future. We are learning from our mistakes and we’re trying to converge that into something that’s very solid and secure for our citizens.
Can we now touch on the cascading effect from your point of view?
I think understanding the impacts of cascading failures or understanding cascading impacts, probably depends a little bit on the sectors that are involved. People would be worried that when power fails, then water fails or when water fails, then power fails; so, what are the impacts? How does that affect our social life? How does that affect what we do? Think of the social chaos that happens for 24 hours if the power is out. That means traffic lights are out. That means ATMs don’t work. That means you can’t go to the supermarket and check out. That means you can’t get online and watch television. You can’t use the internet. The internet may not necessarily be out, but you don’t have power to run your modem or get power to your computer.
There is a very dwindling population of us that understand what life was like before the internet and the way our life was then, “okay, the power went out, can’t watch TV tonight. Okay, that stinks. I’ll read a book.” It’s very difficult to see the under-35 crowd now think about that. In any western society, we’re so used to flipping on a switch and the lights work. We understand that if a storm comes in, the power may go out. Here in the States, hurricanes come through. Florida did a pretty good job this time of getting power back on in Florida. So, the impacts weren’t quite as high, but unless you work in those specific sectors, when the power goes out at a huge hospital now and it goes out in the middle of surgery, then what?
The cascading impact is knowing if generators are going to kick on. Okay, well, the generators are working, but for how long? Usually, the common person won’t think of it in those terms. We are thinking about those cascading impacts all the time so we can keep those critical lifeline facilities operating, even if it’s at a reduced capacity. We’re allowing, we’re assessing, and analyzing, and running risk mitigation to ensure those critical lifelines continue to work until we get to the point that we can restore full power or we can restore water flow.
Thank you. I really appreciate your time, and thank you for putting that aside for me. That’s really good of you.
Oh, you’re very welcome, thank you and see you in Baton Rouge in 2023.