A high-level advisory group is calling on the Trump administration to prepare for a sci-fi world "in which the physical, cyber, and virtual merge," according to a report released last week.
The National Security Telecommunications Advisory Committee, a group of 23 technology executives, warned that "maintaining the status quo is inadequate and unacceptable" for dealing with breakthroughs ranging from autonomous vehicles to artificial intelligence.
"The Government must act with unprecedented speed and rigor to address cybersecurity challenges, making fiscal and regulatory commitments that enable upgrades in technology and utilizing security models that improve governance and operational efficiency," wrote members of the committee, chaired by Renée James, director of software giant Oracle Corp.
The report, dated July 14 but only recently made public, highlights the pros and cons of virtualization technology that could rewrite the rules for operating the U.S. power grid and other critical infrastructure networks.
Such "software-defined networking" hasn’t yet caught on among large power utilities, experts say, though a few companies have launched pilot projects. The technology offers a way to manage grid networks at a virtual level distinct from the constant chatter among physical control system switches and devices.
That central control layer could have a "two-edged effect" for critical infrastructure, the report concluded, allowing for faster recovery from disruptions, while raising the risk that a successful cyberattack could quickly ripple across an entire network.
"It’s going to be groundbreaking," said Mike Smith, founder and CEO of Acacia Security and a former cyber policy adviser at the Department of Energy’s Office of Electricity Delivery and Energy Reliability. "The sooner you embrace and start investigating these types of leading edge technologies, the sooner you’ll get to a point where you’re more secure and resilient."
Smith consults for Veracity Industrial Networks, a firm that specializes in software-defined networking for control systems. Veracity is currently working on a research project with DOE, industrial automation firm Schweitzer Engineering Laboratories and utility Sempra Energy to manage grid field networks from a central, secure controller, dubbed "Chess Master."
Separately, grid regulators at the North American Electric Reliability Corp. are looking to add software-defined networking guidelines to the next set of critical infrastructure protection standards.
The National Security Telecommunications Advisory Committee considers the technology to be "near-term transformative" and urged homeland security officials to review its effects on emergency preparedness, response and recovery.
"Fully realized, SDN and virtualization could significantly enhance the resiliency of critical networks and become an important [national security/emergency preparedness] tool," the report said.
Internet of things
The committee also addressed "daunting" security challenges from the fast-growing "internet of things," a category of connected devices that can include everything from webcams to pacemakers.
The report called on the White House to "develop plans to manage security risks created by current and future IoT deployments," expected to exceed 20 billion devices by 2020.
Emergency planners "may need to start treating parts of the IoT architecture as critical infrastructure that should be protected during incidents," the report added.
"Many people think of IoT as a consumer problem … things like the smart lightbulb, the connected fridge," said Ted Harrington, executive partner at Independent Security Evaluators and an expert in IoT security. "But IoT is about communication; the ability for devices to communicate with each other and with humans and the outside world."
By that definition, IoT includes key sensors on grid networks, gas pipelines and water delivery systems, Harrington noted. He said he agreed with the report’s recommendation to treat IoT as critical infrastructure and secure it accordingly.
"As companies, people and governments are deploying these connected devices, they’re deploying news ways that adversaries can attack — yet they’re not, in many cases, being adequately considered in the security model," he said. "The danger is lying in wait right now."