Need for Improved Critical Industrial Infrastructure ProtectionBy William McBorrough, MISA, CISSP, CISA, CRISC, CEHThis is...
Consider the following:    •    It was reported by the Christian Science Monitor in May that the Department of        Home...
In 2006 the Federal Energy Regulatory Commission (FERC) approved the Security andReliability Standards proposed by the Nor...
About	  author:	  William	  J	  McBorrough	  is	  a	  Security	  Expert	  with	  many	  years	  of	  success	  Managing,	 ...
Upcoming SlideShare
Loading in …5

Need for Improved Critical Industrial Infrastructure Protection


Published on

Article discussing need for coordinated efforts by government and private industry to improve critical industrial infrastructure protection.

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Need for Improved Critical Industrial Infrastructure Protection

  1. 1. Need for Improved Critical Industrial Infrastructure ProtectionBy William McBorrough, MISA, CISSP, CISA, CRISC, CEHThis is a follow up to my article, No National ‘Stand Your Cyberground’ Law Please, which wasa response to a proposal to allow private companies to fight cyberattack with cyberattack. Idiscussed why I do not believe that to be a wise course of action. That proposal led me reflect onindustry and government efforts with respect to privately owned and operated critical industrialinfrastructure.Most stakeholders would agree that it is in the national interest for government to be involved inthe defense of those networks upon which these infrastructure components operate. When thesenetworks come under serious threat, governments response or involvement will range from atotally hands-off approach (and no one believes that works but that is pretty much the status quo)to complete take-over in response to the attack. As we are not a country enamored with the ideaof government takeover of things, striking the right balance is crucial to the success of anyongoing effort in this regard.Why is government’s involvement so critical?85% of our nations critical industrial infrastructure is owned and operated by private interests.This includes electricity grids, nuclear power plant, water and sewer systems and other utilities.According to the Department of Homeland Security website, these are classified as criticalbecause:"Attacks on critical infrastructure could significantly disrupt the functioning of government andbusiness alike and produce cascading effects far beyond the targeted sector and physicallocation of the incident. Direct terrorist attacks and natural, manmade, or technological hazards could producecatastrophic losses in terms of human casualties, property destruction, and economic effects, aswell as profound damage to public morale and confidence.Attacks using components of the nations critical infrastructure as weapons of mass destructioncould have even more devastating physical and psychological consequences."Is our critical industrial infrastructure under significant threat today?Absolutely. However, before one can formulate an adequate response strategy, one has to fullygrasp and consider the true state of affairs. The excerpt from the DHS website above makes clearwhy those with intentions to do harm to the US would target non-government, non-militarysectors considered critical to our very way of life. Recent public reports have clearly demonstratedthe technological means exists to both infiltrate and cause significant damage to systems uponwhich we depend.
  2. 2. Consider the following: • It was reported by the Christian Science Monitor in May that the Department of Homeland Security sent out several alerts warning of a “gas pipeline sector cyber intrusion campaign” against pipeline companies. According to the Department, the attacks began as early as December of 2011 and were still on going. These were sophisticated spear-phishing attacks targeting personnel with these companies. Spear- phishing is a common attack method used to infiltrate corporate networks. • On June 1, the New York Times reported confirmation of what most in the security community suspected all along, that cyberattacks against Iran’s Nantanz nuclear power plant, were the work of the US and Isreal. First discovered in July of 2010, the computer worm condenamed “Stuxnet” by security researchers, was reportedly hand carried on a USB by an Israeli double agent into the facility. The worm infected the control systems of the facilities causing physical damage to the uranium enrichment infrastructure before escaping onto the Internet and spreading . • In October of 2011, the Laboratory of Cryptography and System Security released a 60 page report about a computer worm they has discovered and analysed codenamed Duqu. Duqu is thought to bear some similarities to Stuxnet but its purpose appears not to be destructive but to be to gather information that could be useful in attacking industrial control systems.Additionally, • For more than a decade, industrial systems have been under attack. Though these attacks have not garnered the publicity of Stuxnet or Duqu, the Repository of Industrial Security Incidents (Risi) maintains a database of cyber incidents that have affected " process control, industrial automation or Supervisory Control and Data Acquisition (SCADA) systems. • A McAfee CIP report of critical industrial infrastructure worldwide reported in 2010, " 80% of companies surveyed faced a large-scale denial of service attack, and 85% had experienced a network infiltration. "What is the appropriate role for goverment?According to the McAfee report, governments like China, Japan and Italy have taken anaggressive stance in protecting their civilian critical infrastructure with increased securityrequirements and goverment audits of security controls. Any debate in this country about needfor increased regulation government critical infrastructure protection should have effectivelyended with the discovery of Stuxnet.
  3. 3. In 2006 the Federal Energy Regulatory Commission (FERC) approved the Security andReliability Standards proposed by the North American Electric Corporation (NERC), making theCritical Infrastructure Protection Cyber Security Standards mandatory for the bulk powerindustry. Similar standards need to be uniformly applied across other sectors of ourindustrial critical infrastructure.There also need to be increased collaboration between the public and private sectors withprograms like InfraGard and the National Infrastructure Protection Center. Legislative efforts likethe Lieberman-Collins "Protecting Cyberspace as a National Asset Act of 2010" and the " CyberIntelligence Sharing and Protection Act" have been met with much controversy. Howeverlegislation is clearly needed to codify the role of government as well as appropriate protections forprivacy and limitations on intrusiveness. The time for such legislation is long overdue. Certainly,waiting until after a major cyber attack would make impossible careful considerationappropriate legislation.Even more controversial has been governments efforts at deploying technical solutions tomonitor private critical infrastructure networks. Such an effort may or maynot be technologically feasible at present, but private industry alone has not proven up to the task.What can Industry do?In addition to governmental initiatives, industry also need to step up in the following ways: • Increase security controls in their networks and systems through the implementation of technologies such as multi-layered authentication and access controls, encryption, and monitoring. • Implement internal policies and procedures to govern use of networks and systems including employee access, data stewardship, Internet connectivity, removable media and physical access, and implementing an effective user securit education program. • Participate in effective partnerships with government for increased information sharing collaboration and help drive implementation of reasonable regulation.Successfully tackling the problem of critical infrastructure protection will take concerted effortsfrom both the public and private sectors. An appropriate governance structure with roles andresponsibilities defined and allocated is needed. Technological advances like smart grids providessignificant benefits but also increases our risk. More action is needed now to avoidthe inevitable over-reaction the follows the more inevitable catastrophic attack against ourcritical infrastructure.Source:­‐for-­‐improved-­‐critical-­‐industrial-­‐infrastructure-­‐protection/  
  4. 4. About  author:  William  J  McBorrough  is  a  Security  Expert  with  many  years  of  success  Managing,  Designing,  and  Implementing  medium  and  large  enterprise  Physical  and  Information  Technology  Security  Solutions.  His  experience  spans  the  spectrum  from  small  e-­‐commerce  start-­‐ups  to  multi-­‐campus  state  and  federal  agencies  to  global  financial  sector  organizations.  He  is  on  the  faculty  of  various  universities  including  University  of  Maryland  University  College,  EC-­‐Council  University,  George  Mason  University  and  Northern  Virginia  Community  College  where  he  conducts  research  and  teaches  graduate  and  undergraduate  courses  relating  to  cybersecurity,  cybercrime,  cyberterrorism,  and  information  security  and  assurance.  He  holds  a  Bachelors  of  Science  in  Computing  Engineering  with  a  concentration  in  digital  networks  and  a  Masters  of  Science  in  Information  Security  and  Assurance.  He  is  a  Certified  Information  Systems  Security  Professional  (CISSP),  Certified  Information  Systems  Auditor  (CISA),  Certified  in  Risk  Information  System  Control  (CRISC),  and  Certified  Ethical  Hacker  (CEH).  He  is  well  versed  in  personnel,  systems  and  network  security  risk  management.  His  core  competencies  include  Developing  cost  effective  solutions  to  enable  mission  assurance  in  the  following  areas:  Enterprise  Risk  Management,  IT  Governance,  Security  Organization  Development,  Information  Security  and  Assurance