Urgent Need for Improved Critical Industrial Infrastructure Protection By William J McBorrough, MSIA, CISSP, CISA, CRISC, CEH Principal, Secure Intervention
Agenda Introduction What is the risk? What are the threats? What can government do? What can Industry do? Closing thoughts Questions
Introduction Critical Industrial Infrastructure includes electricity grids, nuclear power plants, coal power plants, water and sewer facilities, etc 85% owned and operated by private, for-profit interests.
What is the risk? According to Department of Homeland Security – “ Attacks using components of the nation’s critical infrastructure could disrupt the functions of government and business and have devastating physical and psychological consequences.”
What are the threats? On June 1, New York Times reported cyber attack against Iran’s Nantanz nuclear power plant, which was first discovered in June 2010, was the work of US and Israel.1 ‘Stuxnet” was a computer worm that was hand carried into facility. It infected the control systems causing physical damage.
What are the threats? ……cont’d In May 2012, the Department of Homeland Security warned of ongoing cyber attacks against “gas pipeline sector”.2 Attacks began in December 2011 Attacks use sophisticated spear-phishing techniques
What are the threats? ……cont’d In October 2011, security researchers released a report detailing discovery and analysis of “Duqu”.3 Duqu bears similarities to Stuxnet, possibly by some responsible parties. Duqu is an espionage malware used to gather information useful in attacking industrial control systems.
What are the threats? ……cont’d In 2010, McAfee released a global “Critical Infrastructure Protection” report stating “ 80% of companies surveyed faced large-scale denial of service attacks, and 80% experience a network infiltration” .4
How can government help? Reasonable regulatory framework like the Security and Regulatory Standards by National American Electric Corporation (NERC) for bulk power industry Increased public-private collaborations through programs like FBI’s Infragard and National Infrastructure Protection Center Countries like China, Japan and Italy have already taken more aggressive stance including government regulations and audits
What can industry do? Participate in public-private collaborative efforts and help drive regulatory framework that actually makes sense. Implement internal policies and procedures to govern use of systems and networks Increase security controls in your networks and systems
Closing thoughts Successfully tackling the problem requires the public and private sectors working together. Technological advances like smart grids provide significant benefits, but also introduces huge security risks. More action is needed now to avoid the inevitable over- reaction that will undoubtedly follow the also evitable catastrophic attack against our critical infrastructure.
Questions? Welcome to send follow up question to me at firstname.lastname@example.org Connect on LinkedIN at www.linkedin.com/in/mcborrough Follow me on Twitter @securnetworks