The Need for Improved Critical Infrastructure Protection

Wednesday, June 13, 2012

William Mcborrough


This is a follow up to my article, No National  ‘Stand Your Cyberground’  Law Please, which was a response to a proposal to allow private companies to fight cyber attacks with cyber attacks.

I discussed why I do not believe that to be a wise course of action. That proposal led me reflect on industry and government efforts with respect to privately owned and operated critical industrial infrastructure.

Most stakeholders would agree that it is in the national interest for government to be involved in the defense of those networks upon which these infrastructure components operate. 

When these networks come under serious threat, government's response or involvement will range from a totally hands-off approach (and no one believes that works but that is pretty much the status quo) to complete take-over in response to the  attack. 

As we are not a country enamored with the idea of government takeover of things, striking the right balance is crucial to the success of any ongoing effort in this regard.

Why is government’s involvement so critical?

85% of our nation's critical industrial infrastructure is owned and operated by private interests. This includes electricity grids, nuclear power plant, water and sewer systems  and other utilities.

According to the Department of Homeland Security website, these are classified as critical because:

"Attacks on critical infrastructure could significantly disrupt the functioning of government and business alike and produce cascading effects far beyond the targeted sector and physical location of the incident."

"Direct terrorist attacks and natural, manmade, or technological hazards could produce catastrophic losses in terms of human casualties, property destruction, and economic effects, as well as profound damage to public morale and confidence.

"Attacks using components of the nation's critical infrastructure as weapons of mass destruction could have even more devastating physical and psychological consequences."

Is our critical industrial infrastructure under significant threat today?

Absolutely. However, before one can formulate an adequate response strategy, one has to fully grasp and consider the true state of affairs. The excerpt from the DHS website above makes clear why those with intentions to do harm to the US would target non-government, non-military sectors considered critical to our very way of life. 

Recent public reports have clearly demonstrated the technological means exists to both infiltrate and cause significant damage to systems upon which we depend. Consider the following:

  •  It was reported by the Christian Science Monitor in May that the Department of Homeland Security sent out several alerts warning of  a “gas pipeline sector cyber intrusion campaign” against pipeline companies. According to the Department, the attacks began as early as December of 2011 and were still on going.  These were sophisticated spear-phishing attacks targeting personnel with these companies. Spear-phishing is a common attack method used to infiltrate corporate networks.
  •  On June 1, the New York Times reported confirmation of what most in the security community suspected all along, that  cyber attacks  against Iran’s Nantanz  nuclear power plant, were the work of the US and Israel.  First discovered in July of 2010, the  computer worm code named “Stuxnet” by security researchers, was reportedly hand carried on a USB by an Israeli double agent into the facility. The worm infected the control systems of the facilities causing physical damage to the uranium enrichment infrastructure before escaping onto the Internet and spreading .
  •  In October of 2011, the Laboratory of Cryptography and System Security released a 60 page report about a computer worm they has discovered and analysed code named Duqu. Duqu is thought to bear some similarities to Stuxnet but its purpose appears not to be destructive but to be to gather information that could be useful in attacking industrial control systems.


  • For more than a decade, industrial systems have been under attack. Though these attacks have not garnered the publicity of Stuxnet or Duqu, the Repository of Industrial Security Incidents (Risi) maintains a database of cyber incidents that have affected " process control, industrial automation or Supervisory Control and Data Acquisition (SCADA) systems.
  • McAfee CIP report  of critical industrial infrastructure worldwide reported in 2010, " 80% of companies surveyed faced a large-scale denial of service attack, and 85% had experienced a network infiltration. "

What is the appropriate role for government?

According to the McAfee report, governments like China, Japan and Italy  have taken an aggressive stance in protecting their civilian critical infrastructure with increased security requirements and government audits of security  controls. Any debate  in this country about need for increased regulation government critical infrastructure protection should have effectively ended with the discovery of Stuxnet.

In 2006 the Federal Energy Regulatory Commission (FERC) approved the Security and Reliability Standards proposed by the North American Electric Corporation (NERC), making the Critical Infrastructure Protection Cyber Security Standards mandatory for the bulk power industry. Similar standards need to be uniformly applied across other sectors of our industrial critical infrastructure.

There also need to be increased collaboration between the public and private sectors with programs like InfraGard and the National Infrastructure Protection Center. Legislative efforts like the Lieberman-Collins' "Protecting Cyberspace as a National Asset Act of 2010" and the " Cyber Intelligence Sharing and Protection Act" have been met with much controversy.

However legislation is clearly needed to codify the role of government as well as appropriate protections for privacy and limitations on intrusiveness. The time for such legislation is long overdue. Certainly, waiting until after a major cyber attack would make impossible  careful consideration appropriate legislation.

Even more controversial has been government's efforts at deploying technical solutions to monitor private critical infrastructure networks.  Such an effort may or may not be technologically feasible at present, but private industry alone has not proven up to the task.

What can Industry do?

In addition to governmental initiatives, industry also need to step up in the following ways:

  •  Increase security controls in  their networks and systems through the implementation of  technologies such as multi-layered authentication and access controls,  encryption, and monitoring.
  •  Implement internal policies and procedures to govern use of  networks and systems including employee access, data stewardship, Internet connectivity, removable media and physical access, and implementing an effective user security education program.
  •  Participate in  effective partnerships with government for increased information sharing collaboration and  help drive implementation of reasonable regulation.

Successfully tackling the problem of critical infrastructure protection will take concerted efforts from both the public and private sectors. An appropriate governance structure with roles and responsibilities defined and allocated is needed.

Technological advances like smart grids provide significant benefits, but also increases our risk. More action is needed now to avoid the inevitable over-reaction that will follow the inevitable catastrophic attack against our critical infrastructure.

Cross-posted from Infosec3T

Possibly Related Articles:
Industrial Control Systems
SCADA Government Attacks Stuxnet Network Security Infrastructure National Security NERC CIP ICS Industrial Control Systems
Post Rating I Like this!
Bob Radvanovsky A couple of things that I think you should be made aware of:

(1) RISI hasn't really updated their database (practically) since they've been in existence; you'd have to spend $9000 USD to find out if they have actually done any updates.

(2) RISI's focus is on SCADA and industrial control systems 'incidents'; unless you have a clearance and work daily with spooky people who have secret handshakes and greet you with coded phrase words, there haven't been that many 'incidents' (as far as I know) specifically pertaining to SCADA and industrial control systems within the past several years. Many are *unconfirmed* 'events'. Do you know the difference between and 'event' and 'incident'? It's pretty simple: an 'event' is an 'occurrence' that has been *acknowledged*, generally in an 'official capacity', such as a report from FBI, DOJ, or DHS.

(3) Everything that you are implicating in your last section screams one and only one word: regulation. First and foremost, have you ever worked for a regulated industry? Better yet, have you ever worked in the nuclear industry? You can't even go to the bathroom without having to follow a procedure! What you are suggesting sounds/reads like it is worthwhile; but after legislative 'critters' get a hold of it, they know it as one and only one word: regulation. Regulation to them, means money (through fines). Congratulations! You've just managed to create a government-controlled economy!
Bob Radvanovsky One more thing that I would like to point out: INFRAGARD. This was originally created with the notion of 'protecting our infrastructures', etc, etc, etc. I am a member of INFRAGARD. Over the years, the only seemingly visible message has been discussing about terrorism, terrorism, terrorism, terrorism, terrorism, more terrorism, even more terrorism, and terrorism. They're stuck on a scratch on the LP; this seems to be the only thing that they know how to say. Part of the reason is that INFRAGARD is under the watchful eye of the FBI, and for the most part, FBI still continue to have trouble with those durn things called 'computers'. The next time that you go to an INFRAGARD meeting, ask Special Agent what they know about mitigating cybersecurity threats against the gas pipeline or issues with signaling systems with the railroad system, or ability to halt the cyber systems of an air traffic control system, and then bring specifics about it. I guarantee you, within a few seconds, he or she will bring in a 'technical specialist' to 'assist' you. Although I have met some very smart agents who were very eager to learn more about those weird devices called ( was it speeled?....oh, yeah) "com-pew-ters", the reality is, the field offices know nothing about 'cybersecurity', and most of their expertise is in physical law enforcement.
Chris Blask @Rad - exactly my point. Once outside our little world of the same 200 people showing up at different events, most folks one might expect to know about all this stuff simply do not.

We can say the right things to the wrong people and not change the situation for the better. The "wrong people" includes "each other". The *right* people are a much broader group, and the conversations are more interesting.

All sorts of demographics need to be more informed in order to move this ball down the field. Lots of people in positions of power, primarily. Those folks won't always move without a general background-radiation of awareness in the environment around them, so continued public preaching helps as well.

More than the repetition of saying or hearing the same cautions, the commonality that strikes me is how often I have to explain that - while, yes, one would assume that person/organization/government-body X would already have process/knowledge/solution Y in place already - they in fact do not.

Most FBI offices, drinking water plants, federal/state/local government agencies, engineering firms etc. know virtually nothing whatsoever about industrial cybersecurity. They have no process or capabilities in place, and no plans to even make plans to change that. The folks in each of these situations have managed to stay busy and stressed enough dealing with the rest of the stuff on their plates and haven't on average spent 5 minutes on this topic.

It isn't good or bad, it just is what it is. Our challenge remains being able to execute on our own responsibilities, regardless hurdles of any size or description, just like they all try to do every day.
William Mcborrough I totally agree. I make it a point to reach outside the security community bubble as often as possible. There is no substitute for evangelism on these issues by experts such as you both. One industry exec mentioned at my presentation to the National Coal Council last week that when they reach out to government on these issues, the response they get is " We are working on it". Government certainly doesn't have all the answers. There has to be a real collaborative effort. But surely we can do better than two overly simplistic choices: Over regulation vs. No regulation at all. The right balance is needed. Private companies making individual business decisions on what to do ( if anything) about security is the status quo and that alone is not good enough.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked