Often Management and Council members look to the Fire and Police Departments for issues relating to security and public safety. In today’s digital world these two Departments are only a piece of the interwoven puzzle that represents securing City assets. More and more dedicated individuals that never wear a firearm or handle an axe are responsible for protecting and securing critical infrastructure that touches every citizen. Physical location security, digital security and device security are becoming a larger piece of the support requirements for CIOs. As requests for access to SCADA systems and the use of IoT for management and collection of system data continue to increase and expand, the challenges of protecting everything increases as well.
A comprehensive plan for risk analysis and abatement must be in place. Even then planning is only important to the degree that you have the ability to act upon that plan. When budgets are being reduced and tough decisions are being made about the allocation of resources suggesting to spend both human and fiscal resource on something That might happen becomes more difficult. As the CIO or lead of your digital systems, the decision to push or report will come down to the amount of risk you perceive exists within your specific environment. Every article on security will suggest it is not if it is when you experience a breach. For the City of Wichita, the “when” happened in August of 2013. A known issue that was exploited by a foreign actor(s). Not an experience I want to repeat but in the grand scheme of things not overly painful. When we start thinking about power grids and water systems and other major infrastructure, those are the “keep me up at night” items. It is hard for many decision-makers to understand the complexities of these systems in today’s digital environment. Access needs, transport requirements and physical issues that all have related security components. Getting funding for physical efforts, more Police Officers or new Fire trucks are the typical responses by those decision-makers. But when asked for cyber-security funding to protect systems that deliver critical communications, device management, or system access it becomes more challenging as these digital systems are not necessarily tangible items that people can see and understand. Often these are complicated interconnected systems that even engineers struggle to fully comprehend. Communicating the security needs of these complex systems to decision-makers can be a daunting task but one that must be addressed.
"The digital environments we all work in demand a more expansive view and certainly a more inclusive vision security"
As we move into more technology incorporated into our City systems such as traffic signals, lighting, camera systems, monitoring systems the interactivity and security of these systems will play an equal role to that of the “physical presence”. Communication, data availability on scene, additional GIS or analytical data for assisted decision-making are all in digital form, expected to be available within milliseconds of the request or call. All stakeholders need to understand the full cycle of the communication process within these critical systems. By raising the awareness of all parties to digital infrastructure security and the devastating consequences that could occur if these were compromised in any way assists in the raising the overall importance of protecting it. When decision-makers, stakeholders and customers have a full understanding of the critical need to secure and protect structures such as water systems, the ability to allocate resources becomes easier as well. We have to stop thinking about public safety in a vacuum. The digital environments we all work in demand a more expansive view and certainly a more inclusive vision security. It is not just phishing attacks, ransomware, hackers, foreign actors or local hacktivists. It is an ever-growing interconnected network (physical and digital) of people, devices, services, hardware, and software. Taking a holistic approach to reviewing, protecting and managing these environments is the only viable option. Whether that is done on premise or out-sourced or by a combination of the two is unimportant, because of the inter-connected nature of technology, the critical aspect is the comprehensive nature of the approach.
Security discussions are difficult, especially when they concern money. The complexity of systems, the ever-changing targets, the extensive media coverage, the advanced nature of attacks and the attempt to simplify all of these components into an understandable and actionable report are all attainable items but it still may not be enough to persuade. You are asking for an insurance policy (metaphorically) and think about how thrilled you are about paying for your personal insurance! I know I need it but if I had the option, I would spend my money elsewhere. This is the same mindset of most decision-makers, we need to fix roads, not spend on something that might happen. It is a challenging paradox, risk assessment and allocation of resources to the level they are available is where you have to start. If the risk outweighs the resource, then you must be willing to fight hard for additional resource.