With the current list of critical infrastructures inclusive of electricity generation, telecommunication, water, transportation, and financial services you would think society has identified key risk points. I think that would be false. Though key resources are identified for each of the critical infrastructures when we start talking about cyberspace some very basic premises may be broken. I would like to at this time coin a concept of commodity infrastructure. Though this concept has been used to discuss cloud computing and a few other similar concepts it has not been widely used as a threat/vulnerability vector.
We know why something is critical infrastructure, and though different government have different lists, that very difference validates the concept. Not everything is critical to everybody, which is an instructive point to future cyber warriors. We have extensive literature and organizational policies to deal with cyber targeting and defending against attack on critical infrastructures. Those key resources and critical infrastructures that have been defined centralize resource countermeasures even if they are big umbrellas. The large umbrellas of resource planning and mitigation allow for a sense of control even when it is elusive. That isn’t the case in commodity infrastructures. This leaves a gapping policy hole that has yet to be filled.
Commodity infrastructure as a term is usually applied to cloud computing environments. The term though is significantly more malleable. An infrastructure is a societal construct that other capabilities or uses are derived from. The admonition that an infrastructure is critical is applied when events on that infrastructure could have significant deleterious impacts in society. We use as an example of a critical infrastructure the telecommunications system fairly often. But, the electronic fuel injection computer in your car, the video display chipset in your dashboard, the timing system in your oven, are all the commodity users of that infrastructure. The difference is fairly simple to understand using the fact water delivery is a critical infrastructure and your glass a commodity use of that infrastructure.
Why you should care? Entrenched operational and hierarchical processing of threat and vulnerability mitigation planning has resulted in cognitive losses in understanding the relative risk in a distributed environment. Put another way. Military planners look at kinetic planning for taking out key nodes and superimpose that planning process into cyberspace. One way cyberspace is different than other domains is that I can leave the protected infrastructures in place and disrupt, degrade, or destroy the commodity infrastructures at the edge just as easily. A larger principle is that an attacker will absolutely leave the critical infrastructures in place so that I can attack the edge devices. We should have learned these lessons in the computing realm from virus outbreaks but have seemed to lose that lesson over time. By focusing on the personal computer as the edge device SCADA was ignored for many years and other elements of the Internet of things are still ignored. Current political processes are to put all of the “stuff” under the bigger umbrellas but actually looking at organizational focus and policy shows this as a very big hole.
We’ve been talking about cyber physical systems, the Internet of things, medical device hacking, and the larger breadth of cyberspace for a long time. Commodity infrastructure is an unprotected target of opportunity that is relatively ignored even if the principle was alliterated in Cyber Shock Wave on a major news channel for over an hour. Many reasons are given for ignoring the Internet of things, cyber physical systems, and all of the embedded devices. The front-runner of excuses for ignoring these systems is resource constraint, followed quickly by skills gaps, and then followed by an absent technology solution.
We’ve been here before. We have distinct examples from history (Morris Worm, I love you virus, etc.) of commodity infrastructure impacts. A lesson in policy development when the problem is nearly invisible is that it is easier to create fear than build trust. Cyber systems have direct and immediate impacts but when they are working are rarely noticed. Unless you are a mechanic chances are you have nearly no idea of how your car works. Most peoples understanding stops at the “turn key, push there, go vroom” stage of use. That is truly the miracle of modern society. It has allowed the focus on information systems to evolve from low-level programming & protocols (C++, Assembler, TCP/IP) and hardware skills (soldering, trace trouble shooting, POST codes) to highly abstracted application oriented solutions (Python, Ruby on Rails, Hadoop).
A valid criticism of the concept of commodity infrastructures is that perhaps everything becomes a commodity infrastructure. Though that case could be made with the same reasoning used to add National Monuments as a critical infrastructure. The public will is the center of gravity and destruction of that public will is the central critical infrastructure. As such we must assume and assess elements of the commodity infrastructure with reason and balance. Trying to put everything the ocean in a bucket makes no sense when you’re trying to bail out the boat.
The principle of commodity infrastructure should be instructive to understanding the need for flexibility and resiliency and the hidden risks that might exist. Alliteration of the risk vectors could fill many books, but they generally follow an integrity, availability, and confidentiality path. Because, commodity infrastructures are embedded or widely distributed identifying the targeted commodity might seem difficult. A targeting plan though might look for specific components of the commodity infrastructure, a region of them, or even the entirety of the adversary. As such effects might be better scoped and less of an issue for cascade, catastrophic or keystone collapse scenarios. The widely distributed and often embedded nature makes them very hard to protect, but equally hard to access and effect.