Need for Improved Critical Industrial Infrastructure Protection

2,038 views
1,954 views

Published on

Presentation to National Coal Council on need for improved critical industrial infrastructure protection in energy sector.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,038
On SlideShare
0
From Embeds
0
Number of Embeds
853
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Need for Improved Critical Industrial Infrastructure Protection

  1. 1. Urgent Need for Improved Critical Industrial Infrastructure Protection By William J McBorrough, MSIA, CISSP, CISA, CRISC, CEH Principal, Secure Intervention
  2. 2. Agenda Introduction What is the risk? What are the threats? What can government do? What can Industry do? Closing thoughts Questions
  3. 3. Introduction Critical Industrial Infrastructure includes electricity grids, nuclear power plants, coal power plants, water and sewer facilities, etc 85% owned and operated by private, for-profit interests.
  4. 4. What is the risk? According to Department of Homeland Security – “ Attacks using components of the nation’s critical infrastructure could disrupt the functions of government and business and have devastating physical and psychological consequences.”
  5. 5. What are the threats? On June 1, New York Times reported cyber attack against Iran’s Nantanz nuclear power plant, which was first discovered in June 2010, was the work of US and Israel.1 ‘Stuxnet” was a computer worm that was hand carried into facility. It infected the control systems causing physical damage.
  6. 6. What are the threats? ……cont’d In May 2012, the Department of Homeland Security warned of ongoing cyber attacks against “gas pipeline sector”.2 Attacks began in December 2011 Attacks use sophisticated spear-phishing techniques
  7. 7. What are the threats? ……cont’d In October 2011, security researchers released a report detailing discovery and analysis of “Duqu”.3 Duqu bears similarities to Stuxnet, possibly by some responsible parties. Duqu is an espionage malware used to gather information useful in attacking industrial control systems.
  8. 8. What are the threats? ……cont’d In 2010, McAfee released a global “Critical Infrastructure Protection” report stating “ 80% of companies surveyed faced large-scale denial of service attacks, and 80% experience a network infiltration” .4
  9. 9. How can government help? Reasonable regulatory framework like the Security and Regulatory Standards by National American Electric Corporation (NERC) for bulk power industry Increased public-private collaborations through programs like FBI’s Infragard and National Infrastructure Protection Center Countries like China, Japan and Italy have already taken more aggressive stance including government regulations and audits
  10. 10. What can industry do? Participate in public-private collaborative efforts and help drive regulatory framework that actually makes sense. Implement internal policies and procedures to govern use of systems and networks Increase security controls in your networks and systems
  11. 11. Closing thoughts Successfully tackling the problem requires the public and private sectors working together. Technological advances like smart grids provide significant benefits, but also introduces huge security risks. More action is needed now to avoid the inevitable over- reaction that will undoubtedly follow the also evitable catastrophic attack against our critical infrastructure.
  12. 12. Questions? Welcome to send follow up question to me at wjm4@secureintervention.com Connect on LinkedIN at www.linkedin.com/in/mcborrough Follow me on Twitter @securnetworks
  13. 13. References http://www.nytimes.com/2012/06/01/world/middleeast/obam a-ordered-wave-of-cyberattacks-against-iran.html1 http://www.csmonitor.com/USA/2012/0505/Alert-Major- cyber-attack-aimed-at-natural-gas-pipeline-companies2 http://www.crysys.hu/publications/files/bencsathPBF11duqu. pdf3 http://www.mcafee.com/us/resources/reports/rp-critical- infrastructure-protection.pdf4

×