Need for Improved Critical Industrial Infrastructure Protection


Published on

Presentation to National Coal Council on need for improved critical industrial infrastructure protection in energy sector.

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Need for Improved Critical Industrial Infrastructure Protection

  1. 1. Urgent Need for Improved Critical Industrial Infrastructure Protection By William J McBorrough, MSIA, CISSP, CISA, CRISC, CEH Principal, Secure Intervention
  2. 2. Agenda Introduction What is the risk? What are the threats? What can government do? What can Industry do? Closing thoughts Questions
  3. 3. Introduction Critical Industrial Infrastructure includes electricity grids, nuclear power plants, coal power plants, water and sewer facilities, etc 85% owned and operated by private, for-profit interests.
  4. 4. What is the risk? According to Department of Homeland Security – “ Attacks using components of the nation’s critical infrastructure could disrupt the functions of government and business and have devastating physical and psychological consequences.”
  5. 5. What are the threats? On June 1, New York Times reported cyber attack against Iran’s Nantanz nuclear power plant, which was first discovered in June 2010, was the work of US and Israel.1 ‘Stuxnet” was a computer worm that was hand carried into facility. It infected the control systems causing physical damage.
  6. 6. What are the threats? ……cont’d In May 2012, the Department of Homeland Security warned of ongoing cyber attacks against “gas pipeline sector”.2 Attacks began in December 2011 Attacks use sophisticated spear-phishing techniques
  7. 7. What are the threats? ……cont’d In October 2011, security researchers released a report detailing discovery and analysis of “Duqu”.3 Duqu bears similarities to Stuxnet, possibly by some responsible parties. Duqu is an espionage malware used to gather information useful in attacking industrial control systems.
  8. 8. What are the threats? ……cont’d In 2010, McAfee released a global “Critical Infrastructure Protection” report stating “ 80% of companies surveyed faced large-scale denial of service attacks, and 80% experience a network infiltration” .4
  9. 9. How can government help? Reasonable regulatory framework like the Security and Regulatory Standards by National American Electric Corporation (NERC) for bulk power industry Increased public-private collaborations through programs like FBI’s Infragard and National Infrastructure Protection Center Countries like China, Japan and Italy have already taken more aggressive stance including government regulations and audits
  10. 10. What can industry do? Participate in public-private collaborative efforts and help drive regulatory framework that actually makes sense. Implement internal policies and procedures to govern use of systems and networks Increase security controls in your networks and systems
  11. 11. Closing thoughts Successfully tackling the problem requires the public and private sectors working together. Technological advances like smart grids provide significant benefits, but also introduces huge security risks. More action is needed now to avoid the inevitable over- reaction that will undoubtedly follow the also evitable catastrophic attack against our critical infrastructure.
  12. 12. Questions? Welcome to send follow up question to me at Connect on LinkedIN at Follow me on Twitter @securnetworks
  13. 13. References a-ordered-wave-of-cyberattacks-against-iran.html1 cyber-attack-aimed-at-natural-gas-pipeline-companies2 pdf3 infrastructure-protection.pdf4