Bottom Line Up Front (BLUF)
The definition of critical infrastructure has expanded from industrial control systems to including storage of digitized human DNA. I argue that to protect both public safety and personal privacy, we must approach these vulnerabilities through responsible cyber-infrastructure development. By strictly applying the CIA Triad, the NIST Cybersecurity Framework, and rigorous incident response protocols, we can secure both our personal identifying information (PII) and biological data.
The Foundation of Security: The CIA Triad
The CIA triad is composed of confidentiality, integrity, and availability. The creation of the model can be traced to a 1976 U.S. Air Force-commissioned study by the RAND Corporation, which emphasized the need to protect data from unauthorized access (Turn & Ware, 1976). This principle ensures that sensitive information is only accessible to authorized individuals, using methods like encryption and access controls.
The I of CIA is the concept of integrity. Focusing on the accuracy and trustworthiness of data, it was featured in a 1987 paper by Clark and Wilson. Integrity is maintained through mechanisms like file permissions and digital signatures. The principle of availability came about the 1988 Morris Worm incident. Which caused widespread internet disruptions, exposing the critical need for reliable and timely access to information for authorized users (Federal Bureau of Investigation, 2018). Within this framework, two critical concepts are authentication and authorization. Authentication is the process of verifying a user’s identity. Authorization, which follows successful authentication, determines what resources an authenticated user can access. An analogy is airport security showing a government-issued ID is authentication. While the boarding pass grants authorization to board a specific flight. Understanding these concepts is important to implementing a strong security posture. Which leads me to my next topic. How do we build the foundation to secure this permanent data? The answer lies in practically applying these historical principles to a modern corporate environment.
The NIST Cybersecurity Framework
If I was stepping into a CISO role, my security program’s blueprint would be the CIA triad. It’s a standard that guides how major players think about security, a fact you’ll see across industry analysis (Splunk, Turner, 2023). It’s a constant balancing act between three core goals. First, we must trust our data. That’s the integrity piece. It means ensuring our numbers are our numbers and haven’t been altered. Which we’d manage with things like verified backups and strict change controls. At the same time, we’re protecting its confidentiality. Making sure only the right people can see it by using strong encryption and being really disciplined about access rights. Meaning no working from home to minimize exposure.
[1]This philosophy is the engine behind official standards like the NIST Cybersecurity Framework. Which provides a practical path for putting these ideas into practice (National Institute of Standards and Technology, 2018). The NIST Cybersecurity Framework is a risk-based approach to managing cybersecurity. Its primary benefit is creating a common language that enables clear communication between technical teams and business executives. It is flexible and technology-neutral, allowing organizations to adapt it to their specific risks. Using tools like Profiles and Tiers, organizations can assess their current security posture. I would assist in risk analysis by helping to identify vulnerabilities and assess gaps between current and target security postures. Doing this my team would have an adaptive and effective cybersecurity program that can scale and respond to varying threats. Ultimately, it’s about piecing these three goals together, so they support each other. Doing this correctly isn’t just good IT practice. It’s fundamental to maintain company confidence, customer trust, and operational stability. We can observe the necessity of these frameworks when examining traditional physical infrastructure, which has recently been exposed to modern cyber threats.
Securing Physical Infrastructure: The SCADA Vulnerability
To explain the vulnerabilities associated with critical infrastructure systems and how it relates to SCADA. You first must know what supervisory control and data acquisition (SCADA) is. SCADA is the heart of modern critical infrastructure. It is used to manage everything from water distribution to electrical grids and traffic lights. With efficient centralized control of these systems, the increasing modern connectivity of what makes up the system has created an increased risk. Understanding the vulnerabilities will help mitigate the possible threat to public safety and national security if the infrastructure is compromised.
Historically, SCADA systems were isolated and independent. However, modern third-gen systems are increasingly networked and using IP for communication. This shift has provided more vectors for the system to be attacked, leading to two types of threats: unauthorized access to control software and network devices. While SCADA is efficient and effective, it’s not the most secure. Consequently, “any person sending packets to a SCADA device is in a position to control it.” This weakness means that if an attacker gains access to the network either through compromised internet connection or physically, they can send commands to manipulate physical infrastructure processes (Hosburgh, 2012). It is also noted that if there isn’t proper practiced incident response, that worsens the issue and damage. The belief that VPNs offer sufficient protection is a false sense of security.
[2]To mitigate these risks, you need proactive defense involving integrating modern security tools directly into the SCADA environment. Most networks are implementing special industrial-grade VPNs and firewall solutions into the network. As well as whitelisting solutions as a tool to prevent unauthorized applications from running and making changes. In Horsburgh’s article, he talks about the most critical role being the incident response plan as a major risk mitigation tool, breaking it down into six phases. Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. These best practices for risk management can be a great basis for an emergency action plan (EAP). While modern SCADA may have modern vulnerabilities, a detailed defense strategy with a proper EAP can protect critical infrastructure and reduce the impact of a possible security incident. Just as traditional industrial systems moved from isolated environments to vulnerable internet connected platforms, biological research is undergoing a similar, dangerous transition.
Bio cybersecurity Frontier: DNA as Untrusted Input
Researchers discovered critical security vulnerabilities not in the biology of DNA, but in the software used to analyze it. By encoding a malicious program into a synthetic DNA strand, researchers triggered this flaw during the sequencing process. Allowing code execution and remote system control. As it was designed to trust biological data, failing to recognize it as a potential attack.
To mitigate these threats, the researchers recommended adopting cybersecurity-focused isolation strategies. Running analysis software in controlled environments like virtual machines or containers ensures that if malicious code executes. The impact is confined and cannot spread to the host system or network. These layers create a contained environment that protects critical research infrastructure. While a compromised water plant threatens immediate physical safety, the compromise of biological data introduces permanent ethical and societal risks that demand responsible policy development.
The Philosophy of Responsible Cyber-Infrastructure Development
The concept of treating biological data as “untrusted input” has interesting ethical and security implications. It challenges the assumption that scientific data is a neutral force, a shift in how genetic information is handled. Everyone should have the right to do something that has the potential to better their health or personal knowledge. Consumer data testing is a good thing and could be worth potential data breaches depending on your personal needs. The possibility of it being compromised shouldn’t hold people back. However, it is on the companies that process and store this data to keep it secure, to not do the bare minimum, and to provide reasonable security for PII data.
[3] Unlike your Social Security number, your DNA is unchangeable. So, a data breach of your DNA is irreversible. This is why DNA companies should be held to the highest standard when it comes to data security. Even if your DNA data has not been exposed, you can still be a victim of genetic discrimination when a person is treated differently based on their genetic makeup regarding health insurance or jobs. Luckily, the Genetic Information Nondisclosure Act (GINA) has been set in place to protect US citizens from these exact fears. But there are loopholes or gaps in policy, which is why genetic PII and how it is used should be closely monitored to ensure people’s liberties are not being violated.
The concept of “hacking humans” is new when considering biological data. While traditional human factor security focuses on vulnerabilities like malware that can be mitigated by changing passwords or credentials, a breach of genetic data is permanent. The potential for DNA to be stolen and used for any purpose by criminals presents a new front for cybersecurity professionals, changing how we must approach security since it cannot be undone.
Conclusion
In conclusion, the evolution of networked technology has turned both physical SCADA systems and biological DNA databases into highly vulnerable critical infrastructures. I believe that by mandating adherence to the CIA Triad, the NIST Cybersecurity Framework, and rigorous incident response planning, we can mitigate these existential risks and protect individuals from irreversible data breaches. I am unsure whether any policy or technical framework can permanently secure something as fundamental as human DNA. As technology outpaced regulations, there are essential questions left unanswered about how bad actors might weaponize both industrial controls and genetic data in ways we cannot yet predict. While GINA and isolation strategies are strong starts, the cybersecurity landscape remains incredibly complex. Nevertheless, demanding the highest security standards for both our physical utilities and our biological data is a necessary first step.