Welcome to the SecAware blog

I spy with my beady eye ...

22 Jun 2018

NBlog June 22 - critical of the critical infrastructure

A comment at the end of a piece in The Register about the safety aspects making it tricky to patch medical equipment caught my beady eye:
"Hospitals are now considered part of the critical national infrastructure in Israel and ought to be given the same status elsewhere".
Personally, I'm not entirely sure what being 'considered part of the critical national infrastructure' really means, in practice. It may well have specific implications in Israel or elsewhere, but I suspect that's just stuff and nonsense.

Those of you who don't work in hospitals, or in Israel, nor in critical national infrastructure industries and organizations, please don't dismiss this out of hand. Ultimately, we are all part of the global infrastructure known as human society, or wider still life on Earth but it is becoming increasingly obvious that we are materially harming the environment (= the Earth, our home) and if Space Force is real (not Space Farce) then even the sky's not the limit.

Within recent weeks on the Korean peninsula, the prospect of something 'going critical' has risen and receded, again. 'Nuff said.

Since we are all to some extent interdependent, we are all 'critical' in the sense of the butterfly effect within chaos theory. It is conceivable/vaguely possible that a seemingly trivial information security incident affecting a small apparently insignificant organization, or even an individual, could trigger something disastrous ... especially if we humans carry on building complex, highly interdependent, inherently unreliable, non-resilient, insecure information infrastructures, consistently glossing-over the fine details. 

I hear you. "It's OK, Gary, calm down. It just 'the cloud'. Don't you worry about that." But I'm paid to worry, or at least to think. As a knowledge worker, it's what I do.

Oh and by the way, not all critical infrastructure is global or national in scope. Some is organizational, even individual. I've just done the rounds feeding our animals, lit the fire and made a cup of tea, tending to my personal critical infrastructure.

So if we tag bits of various infrastructures critical, is that going to achieve a material change? No. It's just another label giving the appearance of having Done Something because, of course, Something Must Be Done. Unless it actually leads on to something positive, we are deluding ourselves, aren't we?

It's much the same bury-your-head-in-the-sand self-delusion as 'accepting' information risks. Having identified and analyzed the risks, having considered and rejected other treatments, we convince ourselves that the remaining risks are 'acceptable' and promptly park them out of sight, out of mind, as if they no longer exist. Hello! They are still risks! The corresponding incidents are just as likely and damaging as ever!

Whatever happened to security engineering? Is that in the clouds too? Or am I being too critical for my own good?

Happy Friday everyone. Have a good weekend. Keep taking the Pils.

No comments:

Post a Comment