Critical infrastructure is a major target for cyber attacks. From oil and gas production to power and water utilities, these systems form the backbone of civil society.  Cyber attackers know this, which is why many high-profile attacks have targeted critical infrastructure, including the Shamoon virus at Saudi Aramco, the attack on RasGas, and the Stuxnet worm.  These attacks have raised cybersecurity awareness and, in some cases, utility companies have even increased their IT budgets.  Unfortunately, many of these efforts fail to recognize a dangerous fact:  much of the nation's critical infrastructure is controlled by systems that are not managed by IT departments or their cybersecurity leaders.  

To understand why, you have to look at the evolution of these systems, called SCADA for short (Supervisory Control and Data Acquisition).  Before SCADA systems, infrastructure was controlled on-site, through mechanical valves and control boards.  Because they were critical to the operation of power plants and water facilities, these controls were kept locked behind physical security measures, often in restricted areas and sometimes physical vaults.  The first SCADA systems were operated by mainframe computers, and they represented a vast improvement over manually-controlled systems, enabling more finely-grained control and centralized management.  These first-generation systems were not connected to one another or the outside world.  The next generation was distributed, and they served as the foundation for today's networked SCADA systems, which operate using traditional Internet Protocols (IP) and are vulnerable to attack.  

From the beginning, however, SCADA systems have been under the management of operators and mission units.  This has meant that as organizations adopted cybersecurity best practices, SCADA systems were shielded from these broader developments.  Inside many critical infrastructure operations today you will find two discrete technology units:  general IT, overseen by a Chief Information Officer and Chief Information Security Officer (CISO), and SCADA systems, managed by mission units.  Cyber adversaries look to attack both systems and do not share this disparate alignment, putting critical infrastructure at risk.  

To remedy this division, operators must work to empower their CISOs with the authority to incorporate SCADA systems into their cybersecurity strategy.  But this isn't just an organizational challenge.  SCADA systems vary in age and capability, even within the same organization, complicating cybersecurity measures.  Fully ensuring their long-term security will require a concerted technological and management effort, including the deployment of computer network defense, cyber threat analysis, incident response and forensics.  Only then will critical infrastructure be truly defended against today's emerging threats.