This is a follow up to my article, No National ‘Stand Your Cyberground’ Law Please, which was a response to a proposal to allow private companies to fight cyber attacks with cyber attacks.
I discussed why I do not believe that to be a wise course of action. That proposal led me reflect on industry and government efforts with respect to privately owned and operated critical industrial infrastructure.
Most stakeholders would agree that it is in the national interest for government to be involved in the defense of those networks upon which these infrastructure components operate.
When these networks come under serious threat, government's response or involvement will range from a totally hands-off approach (and no one believes that works but that is pretty much the status quo) to complete take-over in response to the attack.
As we are not a country enamored with the idea of government takeover of things, striking the right balance is crucial to the success of any ongoing effort in this regard.
Why is government’s involvement so critical?
85% of our nation's critical industrial infrastructure is owned and operated by private interests. This includes electricity grids, nuclear power plant, water and sewer systems and other utilities.
According to the Department of Homeland Security website, these are classified as critical because:
"Attacks on critical infrastructure could significantly disrupt the functioning of government and business alike and produce cascading effects far beyond the targeted sector and physical location of the incident."
"Direct terrorist attacks and natural, manmade, or technological hazards could produce catastrophic losses in terms of human casualties, property destruction, and economic effects, as well as profound damage to public morale and confidence.
"Attacks using components of the nation's critical infrastructure as weapons of mass destruction could have even more devastating physical and psychological consequences."
Is our critical industrial infrastructure under significant threat today?
Absolutely. However, before one can formulate an adequate response strategy, one has to fully grasp and consider the true state of affairs. The excerpt from the DHS website above makes clear why those with intentions to do harm to the US would target non-government, non-military sectors considered critical to our very way of life.
Recent public reports have clearly demonstrated the technological means exists to both infiltrate and cause significant damage to systems upon which we depend. Consider the following:
- It was reported by the Christian Science Monitor in May that the Department of Homeland Security sent out several alerts warning of a “gas pipeline sector cyber intrusion campaign” against pipeline companies. According to the Department, the attacks began as early as December of 2011 and were still on going. These were sophisticated spear-phishing attacks targeting personnel with these companies. Spear-phishing is a common attack method used to infiltrate corporate networks.
- On June 1, the New York Times reported confirmation of what most in the security community suspected all along, that cyber attacks against Iran’s Nantanz nuclear power plant, were the work of the US and Israel. First discovered in July of 2010, the computer worm code named “Stuxnet” by security researchers, was reportedly hand carried on a USB by an Israeli double agent into the facility. The worm infected the control systems of the facilities causing physical damage to the uranium enrichment infrastructure before escaping onto the Internet and spreading .
- In October of 2011, the Laboratory of Cryptography and System Security released a 60 page report about a computer worm they has discovered and analysed code named Duqu. Duqu is thought to bear some similarities to Stuxnet but its purpose appears not to be destructive but to be to gather information that could be useful in attacking industrial control systems.
- For more than a decade, industrial systems have been under attack. Though these attacks have not garnered the publicity of Stuxnet or Duqu, the Repository of Industrial Security Incidents (Risi) maintains a database of cyber incidents that have affected " process control, industrial automation or Supervisory Control and Data Acquisition (SCADA) systems.
- A McAfee CIP report of critical industrial infrastructure worldwide reported in 2010, " 80% of companies surveyed faced a large-scale denial of service attack, and 85% had experienced a network infiltration. "
What is the appropriate role for government?
According to the McAfee report, governments like China, Japan and Italy have taken an aggressive stance in protecting their civilian critical infrastructure with increased security requirements and government audits of security controls. Any debate in this country about need for increased regulation government critical infrastructure protection should have effectively ended with the discovery of Stuxnet.
In 2006 the Federal Energy Regulatory Commission (FERC) approved the Security and Reliability Standards proposed by the North American Electric Corporation (NERC), making the Critical Infrastructure Protection Cyber Security Standards mandatory for the bulk power industry. Similar standards need to be uniformly applied across other sectors of our industrial critical infrastructure.
There also need to be increased collaboration between the public and private sectors with programs like InfraGard and the National Infrastructure Protection Center. Legislative efforts like the Lieberman-Collins' "Protecting Cyberspace as a National Asset Act of 2010" and the " Cyber Intelligence Sharing and Protection Act" have been met with much controversy.
However legislation is clearly needed to codify the role of government as well as appropriate protections for privacy and limitations on intrusiveness. The time for such legislation is long overdue. Certainly, waiting until after a major cyber attack would make impossible careful consideration appropriate legislation.
Even more controversial has been government's efforts at deploying technical solutions to monitor private critical infrastructure networks. Such an effort may or may not be technologically feasible at present, but private industry alone has not proven up to the task.
What can Industry do?
In addition to governmental initiatives, industry also need to step up in the following ways:
- Increase security controls in their networks and systems through the implementation of technologies such as multi-layered authentication and access controls, encryption, and monitoring.
- Implement internal policies and procedures to govern use of networks and systems including employee access, data stewardship, Internet connectivity, removable media and physical access, and implementing an effective user security education program.
- Participate in effective partnerships with government for increased information sharing collaboration and help drive implementation of reasonable regulation.
Successfully tackling the problem of critical infrastructure protection will take concerted efforts from both the public and private sectors. An appropriate governance structure with roles and responsibilities defined and allocated is needed.
Technological advances like smart grids provide significant benefits, but also increases our risk. More action is needed now to avoid the inevitable over-reaction that will follow the inevitable catastrophic attack against our critical infrastructure.
Cross-posted from Infosec3T