Per the resource, there are currently 16 different sectors within the Critical Infrastructure network. Is this enough? Are there any potential critical resources that you think have been overlooked? If so, what are they and why are the critical?

The 16 sectors are enough to cover the areas of critical infrastructure but certain areas of infrastructure should be emphasized more. For example networking presents a serious threat in the US due to the interconnectivity and the growth of the Internet of Things (IoT).  IoT refers to the networking of physical devices using a variety of software, electronics, and networking connectivity to collect and share data. The IoT has grown to encompass almost everything from vehicles to refrigerators in an effort to create smart devices that provide convenience and efficiency for human activities. There can be no doubt that this trend in technology has provided tremendous economic benefit as well as changing the manner in which Americans live their lives.  The growth of IoT continues at an accelerated rate as more and more devices become connected to one another in order to provide these benefits. However, while IoT provides tremendous benefits it is also a growing risk which threatens not just individuals but also critical infrastructure.  This problem has resulted from a lack of security in most of the IoT devices that are created and the storage and sharing of information that is collected from these devices.  The problem with this integration of devices is that there is no standard on security from intrusion that is present in other technologies such as networking and cloud computing. The devices themselves, are inherently insecure due to the process of manufacturing and the need to be competitive.  This problem is easily seen in the devices and needs that form the backbone of the IoT.

A strong example of IoT insecurity can be found in one of the most ubiquitous form of this technology- the smartphone. Most, 87% of smartphones are considered insecure when compared with networked devices such as computers and other servers (Greene, 2016). The reason for this insecurity is that the programming for smartphone is not tested in the same manner as network computers. For example, an android phone has a limited life of 3-5 years which means that this phone is unlikely to experience large data breaches during its lifespan and large issues can be patched after it has been sold (FTC, 2013). The reason that companies release these phones with inherent security flaws is that it is not competitive or cost effective to make them secure prior to selling. The cost of a secured phone would increase cost of the phone substantially and reduce competitive advantage because these phones would never make it to the market in time to compete with similar phones.

The risk with these devices is that they can be hijacked and used to carry out bot attacks on critical infrastructure. This problem already occurred when an influential security blogger for Akamai (a security service) was attacked by:

A giant botnet made up of hijacked internet-connected things like cameras, lightbulbs, and thermostats has launched the largest DDoS attack ever against a top security blogger, an attack so big Akamai had to cancel his account because defending it ate up too many resources (Greene, 2016).

These large volume attacks need to be considered as potential threats to critical infrastructure. If hackers attack a hospital network they can shut down an entire system and put hundreds of lives at risk. While these threats are relatively low in probability, their threat represents a serious problem for users who have large amounts of data stored on these devices because once a hacker gains entry to a device, the data is automatically placed at risk.

References

FTC. (2013, November). Internet of Things . Retrieved from FTC:

Greene, T. (2016, September 23). Largest DDoS attack ever delivered by botnet of hijacked IoT devices. Retrieved from NetworkWorld: