Need for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure ProtectionBy William McBorrough, MISA, CISSP, CISA, CRISC, CEHThis is a follow up to my article, No National ‘Stand Your Cyberground’ Law Please, which wasa response to a proposal to allow private companies to fight cyberattack with cyberattack. Idiscussed why I do not believe that to be a wise course of action. That proposal led me reflect onindustry and government efforts with respect to privately owned and operated critical industrialinfrastructure.Most stakeholders would agree that it is in the national interest for government to be involved inthe defense of those networks upon which these infrastructure components operate. When thesenetworks come under serious threat, governments response or involvement will range from atotally hands-off approach (and no one believes that works but that is pretty much the status quo)to complete take-over in response to the attack. As we are not a country enamored with the ideaof government takeover of things, striking the right balance is crucial to the success of anyongoing effort in this regard.Why is government’s involvement so critical?85% of our nations critical industrial infrastructure is owned and operated by private interests.This includes electricity grids, nuclear power plant, water and sewer systems and other utilities.According to the Department of Homeland Security website, these are classified as criticalbecause:"Attacks on critical infrastructure could significantly disrupt the functioning of government andbusiness alike and produce cascading effects far beyond the targeted sector and physicallocation of the incident. Direct terrorist attacks and natural, manmade, or technological hazards could producecatastrophic losses in terms of human casualties, property destruction, and economic effects, aswell as profound damage to public morale and confidence.Attacks using components of the nations critical infrastructure as weapons of mass destructioncould have even more devastating physical and psychological consequences."Is our critical industrial infrastructure under significant threat today?Absolutely. However, before one can formulate an adequate response strategy, one has to fullygrasp and consider the true state of affairs. The excerpt from the DHS website above makes clearwhy those with intentions to do harm to the US would target non-government, non-militarysectors considered critical to our very way of life. Recent public reports have clearly demonstratedthe technological means exists to both infiltrate and cause significant damage to systems uponwhich we depend.
Consider the following: • It was reported by the Christian Science Monitor in May that the Department of Homeland Security sent out several alerts warning of a “gas pipeline sector cyber intrusion campaign” against pipeline companies. According to the Department, the attacks began as early as December of 2011 and were still on going. These were sophisticated spear-phishing attacks targeting personnel with these companies. Spear- phishing is a common attack method used to infiltrate corporate networks. • On June 1, the New York Times reported confirmation of what most in the security community suspected all along, that cyberattacks against Iran’s Nantanz nuclear power plant, were the work of the US and Isreal. First discovered in July of 2010, the computer worm condenamed “Stuxnet” by security researchers, was reportedly hand carried on a USB by an Israeli double agent into the facility. The worm infected the control systems of the facilities causing physical damage to the uranium enrichment infrastructure before escaping onto the Internet and spreading . • In October of 2011, the Laboratory of Cryptography and System Security released a 60 page report about a computer worm they has discovered and analysed codenamed Duqu. Duqu is thought to bear some similarities to Stuxnet but its purpose appears not to be destructive but to be to gather information that could be useful in attacking industrial control systems.Additionally, • For more than a decade, industrial systems have been under attack. Though these attacks have not garnered the publicity of Stuxnet or Duqu, the Repository of Industrial Security Incidents (Risi) maintains a database of cyber incidents that have affected " process control, industrial automation or Supervisory Control and Data Acquisition (SCADA) systems. • A McAfee CIP report of critical industrial infrastructure worldwide reported in 2010, " 80% of companies surveyed faced a large-scale denial of service attack, and 85% had experienced a network infiltration. "What is the appropriate role for goverment?According to the McAfee report, governments like China, Japan and Italy have taken anaggressive stance in protecting their civilian critical infrastructure with increased securityrequirements and goverment audits of security controls. Any debate in this country about needfor increased regulation government critical infrastructure protection should have effectivelyended with the discovery of Stuxnet.
In 2006 the Federal Energy Regulatory Commission (FERC) approved the Security andReliability Standards proposed by the North American Electric Corporation (NERC), making theCritical Infrastructure Protection Cyber Security Standards mandatory for the bulk powerindustry. Similar standards need to be uniformly applied across other sectors of ourindustrial critical infrastructure.There also need to be increased collaboration between the public and private sectors withprograms like InfraGard and the National Infrastructure Protection Center. Legislative efforts likethe Lieberman-Collins "Protecting Cyberspace as a National Asset Act of 2010" and the " CyberIntelligence Sharing and Protection Act" have been met with much controversy. Howeverlegislation is clearly needed to codify the role of government as well as appropriate protections forprivacy and limitations on intrusiveness. The time for such legislation is long overdue. Certainly,waiting until after a major cyber attack would make impossible careful considerationappropriate legislation.Even more controversial has been governments efforts at deploying technical solutions tomonitor private critical infrastructure networks. Such an effort may or maynot be technologically feasible at present, but private industry alone has not proven up to the task.What can Industry do?In addition to governmental initiatives, industry also need to step up in the following ways: • Increase security controls in their networks and systems through the implementation of technologies such as multi-layered authentication and access controls, encryption, and monitoring. • Implement internal policies and procedures to govern use of networks and systems including employee access, data stewardship, Internet connectivity, removable media and physical access, and implementing an effective user securit education program. • Participate in effective partnerships with government for increased information sharing collaboration and help drive implementation of reasonable regulation.Successfully tackling the problem of critical infrastructure protection will take concerted effortsfrom both the public and private sectors. An appropriate governance structure with roles andresponsibilities defined and allocated is needed. Technological advances like smart grids providessignificant benefits but also increases our risk. More action is needed now to avoidthe inevitable over-reaction the follows the more inevitable catastrophic attack against ourcritical infrastructure.Source: http://infosec3t.com/2012/05/23/need-‐for-‐improved-‐critical-‐industrial-‐infrastructure-‐protection/
About author: William J McBorrough is a Security Expert with many years of success Managing, Designing, and Implementing medium and large enterprise Physical and Information Technology Security Solutions. His experience spans the spectrum from small e-‐commerce start-‐ups to multi-‐campus state and federal agencies to global financial sector organizations. He is on the faculty of various universities including University of Maryland University College, EC-‐Council University, George Mason University and Northern Virginia Community College where he conducts research and teaches graduate and undergraduate courses relating to cybersecurity, cybercrime, cyberterrorism, and information security and assurance. He holds a Bachelors of Science in Computing Engineering with a concentration in digital networks and a Masters of Science in Information Security and Assurance. He is a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified in Risk Information System Control (CRISC), and Certified Ethical Hacker (CEH). He is well versed in personnel, systems and network security risk management. His core competencies include Developing cost effective solutions to enable mission assurance in the following areas: Enterprise Risk Management, IT Governance, Security Organization Development, Information Security and Assurance