Dr. David Mussington serves as the Executive Assistant Director for Infrastructure Security at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). Since February 2021, he continues to lead CISA’s efforts to secure the nation’s critical infrastructure in coordination with government and the private sector. Key areas of focus include vulnerability and risk assessments; securing public gatherings; developing and conducting training and exercises; and securing high-risk chemical facilities.
Immediately prior to joining CISA, Mussington was Professor of the Practice and Director for the Center for Public Policy and Private Enterprise at the University of Maryland School of Public Policy. His research and teaching activities focused on integrated cyber physical system risk management, election cybersecurity, and critical infrastructure security risk management. He formerly served as the U.S. Department of Defense Senior Adviser for Cyber Policy and on the Obama administration’s National Security Council staff as Director for Surface Transportation Security Policy.
With 16 critical infrastructure sectors defined by CISA as vital to security, national economic security, and/or national public health or safety, HSToday sat down with Mussington to discuss critical infrastructure threats and risk mitigation.
Q: Recent propaganda from domestic violent extremists has encouraged and provided instructions for attacks on a variety of critical infrastructure sectors. How do you view these threats and how is CISA working with sectors on protection?
A: I view these threats pretty seriously. I think that they’ve been visible; the narrative of the threats is serious and has been in NTAS [National Terrorism Advisory System] bulletins for a while. And, unfortunately, of course, we’re seeing attacks that resemble those that we’ve been warned about for a while. CISA’s role is that we’re involved in mitigating physical and cyber risks to critical infrastructure, so we’re concerned about priority infrastructure across the 16 critical infrastructure sectors — of which, of course, we are SRMA [Sector Risk Management Agency] for eight. That concern is because we’re worried about what violent extremists might be able to do to critical infrastructure in terms of disruption of critical services, and we obviously provide guidance as practice input to critical stakeholders, critical infrastructure operators, to allow them to mitigate risk and exercise self-help. So concerning? Definitely. Presaged or foreshadowed by warnings from DHS or the DHS level for more than a year. Unfortunately, it’s confirmation of the threats that we’ve been worried about.
Q: How can critical infrastructure sectors address the potential for insider threats, including employees radicalized after the point of hire?
A: We think that the best way to mitigate those sorts of threats is through a systematic program. Ad hoc activities are just likely to be not scalable, so if you operate a critical infrastructure, which is, of course, a system of systems, you need to be able to have a predictable way of managing insider risks, and that means using insider threat framework with elements such as defining a threat, detecting and identifying that threat, having an assessment program for that threat and managing the threat and risk should it occur.
Q: What unique vulnerabilities do chemical facilities face and how can they defend against these threats?
A: So I think the focus needs to shift a little bit from chemical facilities because people holding the concerning chemical, as under the CFATS chemical facilities antiterrorism standards regime, are beyond simple facilities — not that it’s just a factory that looks like it has towers with vapor coming from them; that’s sort of not an accurate or effective perspective of where the risk lies. Because we use chemicals in so many different parts of the U.S. economy, from retail to industrial processes, there’s a certain level of vulnerability that we have to live with. What we need to worry about or focus on is those who will weaponize potentially dangerous chemicals that have dual use or perfectly permissible and legal applications. So think about people who misuse chemicals to construct IEDs. Think about people who would use their access to chemicals for illicit purposes, for crime. It’s those use cases that we need to focus on as well as a limited number of chemicals themselves that are regulated through the CFATS framework.
Q: What did your time in the transportation sector show you about the unique threats and protection issues faced by ground transportation infrastructure?
A: What it showed is that some people think that transportation is simply a physical infrastructure security challenge without noticing that transportation, like most of the other critical infrastructures we have, are actually converged cyber-physical systems with internet-facing elements, with applications, IoT or internet of things, and industrial technology — basic systems from railroad locomotives to switching to routing to how eventually hazardous cargos are moved around in specially reinforced vehicles and train cars. I think that from the freight side, from the mass transit side, and from the inter-city passenger rail side, it’s important to keep track of the increasing cyberization, I suppose, or the integration of cyber technologies into all aspects of those systems. That means that they have potential risk exposure to the same IT and OT vulnerabilities that non-transportation critical infrastructures have. So a lot of the best-practice guidance that we publish through our publications, through our outreach, to sector stakeholders and to state, local, territorial and tribal authorities also pertain to transportation as well; obviously, in this case, DHS and DOT are both co-SRMAs so we have special risk-management responsibilities for the sector. But the guidance is still consistent — based on standards, based on best practices, and based on the risk experience of the sector both at home and abroad.
Q: What are some critical cyber threats being faced by infrastructure sectors?
A: It’s fair to say that the more devices you connect to industrial systems the more there’s a potentially expanded attack surface that can be exploited by adversaries. So that point — unsecured or less well secured IT and OT systems being connected to the internet — is a key vector that adversaries can use to get access to data, key systems, and availability of systems to impede the American public’s access to key services. For example, ransomware that gets in because of poor cybersecurity on computers. One thing about OT systems — obviously, these are different and have different up time and other responsibilities — is that should they be victimized by internet-exposed systems that aren’t adequately protected they can be persistently implanted by advanced adversaries. That allows that adversary to basically penetrate a system and then go quiet for an extended period of time enabling a future option that may be either ransomware or some other nefarious activity at the attacker’s point of decision. We may not know or have a very difficult time detecting the persistent access of a sophisticated actor under that scenario. And we also have to worry about cyber intrusions that allow manipulation of information – here, that’s more of a deception or spoofing scenario where key systems can be made to misbehave. You can think of water treatment systems or other systems where critical infrastructures can be made to deceive operators into thinking they’re in one state of operation when they’re actually in another, causing impairment of function and system availability that can have some economic and other consequences.