This is part one in a five part series written by Dr. Edward Amoroso, of TAG Cyber and Gen. Keith Alexander, of IronNet Cybersecurity
Cybersecurity risk is now a mainstream consideration for any organization with valued assets. This is particularly true for any team with responsibility to provide essential services, including ones that might have safety or life-critical implications if not properly protected. Power companies, financial services firms, telecommunications companies, military organizations, and government agencies all come to mind as dealing with this type of growing risk – and all operate large-scale infrastructure.
What are the cybersecurity challenges of large versus small-scale infrastructure?
Early computer security methods in the 1980’s and 1990’s were designed to address small-scale risks to systems with modest size, scope, connectivity, and scale. Early Windows PCs, for example, were typically protected with anti-virus software, packet filtering rules, non-complex passwords, and basic malware scanners. While these methods might seem less impressive today, the threat was simpler in the early days, and most users felt reasonably safe.
As technology expanded, however, and large-scale infrastructure emerged that was dependent on computing for operation and control, the security risks grew accordingly. Unfortunately, many of the protections applied to large-scale cybersecurity were derived from early Windows PC security approaches. It is not uncommon today, for example, to find critical infrastructure security centered primarily on the use of the basic PC security capabilities mentioned above.
Familiar small-scale controls do, of course, play a role in protecting large-scale infrastructure. Passwords and firewalls, for example, are required to mitigate certain threats, regardless of the size of the assets being targeted. At the same time, however, the unique needs of large-scale systems demand security controls that match their broad characteristics. Any control that requires manual handling, for example, might be fine for a small system, but impossible to manage across a massively-scaled system.
Differences between large- and small-scale security can be seen in common system management tasks. Maintenance, for instance, is manual for modest systems, but automated at scale. Gaining visibility in small-scale environments is simple, and assets are fairly well-known. Visibility is more complex for larger systems, and asset inventories are approximated at best. Finally, configuration tasks for small systems tend to be fixed, whereas larger environments must deal with ever-changing system attributes.