Critical infrastructure: The five biggest technology mistakes

Security pitfalls and how to avoid them

Recent shifts in the viability of many emerging security technologies are stirring action by critical infrastructure security professionals.

Some of the more creative technology innovations introduced in recent years have worked out their initial kinks and are starting to justify some of their previous hype. At the same time, these products are becoming more reasonably priced. As a result, security managers are rightfully considering and deploying more advanced security technology as important components of their security programs.

It makes perfect sense that planning and implementing modern security systems requires special attention be paid to every detail - ensuring that the totality of equipment and systems function as intended, does not over-burden administration, operations or maintenance staff and maximizes their intended benefits. Individual technologies must also integrate to provide greater situational awareness, thereby amplifying any "force multiplier" potentials to quicken return on investment.

The old axiom of "Good news travels fast and bad news is waiting when it gets there" does not seem to apply as much to security technology mistakes made by critical infrastructures. Many clients are uncomfortable sharing details from their technology implementation failures and political pressure is sometimes applied to lower the profile and embarrassment of dollars wasted on technology missteps.

The benefits of sharing these lessons learned, however, far outweigh any short-term perceptions. To help critical infrastructure end-users get maximum benefit from security technology systems, let's review five of the most common security technology deployment mistakes made by critical infrastructure protectors, along with tips for how to avoid them.

Mistake #1: Believing what you read and hear.

The security industry does not oversee or regulate what manufacturers print or say about their products. This is not to say that some manufacturers don't strive to provide honest information, but laypeople (and professionals) do not have the ability to determine the difference between real-world data and manipulated results.

Finding unbiased information about products is annoyingly difficult. Trying to learn a company's strategic vision for their products and a particular product line is harder. Forecasting which companies may purchase competitors, absorb and otherwise eliminate products is impossible.

The flood of proprietary specialty products amplifies the problems faced by decision-makers. For critical infrastructures especially, there can be pressure to hurry along technology deployments and expedite implementations.

How do you address these challenges? First, be skeptical of everything. Focus less on technical data like pixel counts and error rates and more on head-to-head evaluations in real-world conditions like your own.

Seek unbiased and experienced evaluations and advice. If you belong to an industry group or other peer network, use its membership to solicit feedback on what works and what does not. If you are relying on a peer with an identical system, visit them directly rather than take anyone's word for the effectiveness of their systems.

Before you commit to implementing any particular technology, conduct "proof of concept" testing at your facility to replicate how the proposed technologies will perform, and, more importantly, whether the technology meets your real needs.

This is different from "Beta" testing that lets others use you as a guinea pig for their product development while learning how their products perform at your expense. Too many users accept these test systems to cheaply augment their existing security to the detriment of the overall program.

Mistake #2: Technology will solve all your security problems.

Every security technology is only as good as the complete security program that supports it. History has demonstrated time and again that the simplest breakdowns can render the most sophisticated security systems useless. This is especially true with critical infrastructures - where an abundance of territorial stakeholders increases the odds of operational and procedural breakdowns.

This content continues onto the next page...