Lots of people have spoken, written, and argued about the cyber threats to our nation’s critical infrastructure. To say (as I tweeted) that this is an area that has not gotten adequate coverage seems counterintuitive. It is not; words have been expended on the subject but precious little action to actually protect it has been taken.
This past week, McAfee, in conjunction with CSIS, released a report titled, “In the Dark: Crucial Industries Confront Cyberattacks” at the National Press Club. Stewart Baker of CSIS, the lead author, began with the finding that threats are up faster than security can respond. He called Stuxnet a wakeup call. It was found on 40 percent of control systems tested. Phyllis Schneck of McAfee stated that there has been malware like StuxNet before and there is more of it now. That said, security investment has only gone up one percent!
In the study, they did not ask directly if the companies polled were spending more; they asked about which security technologies they were using, compared to the previous years, and they have only procured one percent more such capabilities overall. So yes, there have been gains but modest ones only. Security has been a technology spend by the CISO, but it now must be a core business spend by the CEO or at least CFO.
They next asked if the respondents had experienced a sophisticated attack (APT or DDoS). Last year, 26 percent said yes; this year, over 48 percent said yes. While acknowledging that APT is over used (a senior Verizon exec recently went on record with this conclusion), they still maintain it is real and growing problem. They also noted that Stuxnet is a weapon because it does not steal – it destroys.
The discussion next turned to control systems, and it was emphasized that they were never designed to be secure. Ms. Schneck said that the best solution was to use technologies that make malware dormant (of no use); white listing helps.
The report calls into question the wisdom of developing a smart grid, because it is simply NOT secure. To make a really “Smart Grid” (how do you define that?!), you need lots of data to fine tune it. Getting at that kind of data opens up the network to attack or at least lots of inadvertent mistakes.
Four out of every five power execs queried said they will be employing Smart Grid, and most plan to hook up via the Internet. Unfortunately, most do not plan to include any particular security measures. Like the Internet before it, the SmartGrid is not being built with security at its foundation.
There was a great divergence of response between governments. China has the highest security measure adoption rate. I found this curious, as China is known to be the most hacked country in the world. The other examples were:
Brazil, France, Mexico – low security measure adoption rate;
India, Russia, Australia, United States, Spain, Germany, UAE – medium security measure adoption rate; and
UK, Japan, Italy, China – high security measure adoption rate.
Many people surveyed worried about governments as attackers – most believe other governments have attacked them – most worry about the United States and China. The United States has dropped lower, and the Russians have gone up, as has North Korea.
The conclusions were that everyone is aware but few are doing anything, and no one is doing enough. A key required action is to define the role of government. Ms. Schneck said that regulation is not the answer! Baker nodded in agreement. This interestingly is at odds with CSIS’s other cyber expert, Jim Lewis, who now says the market cannot fix the issue and regulation must be the answer.
There was a discussion on this need for regulations, but everyone acknowledged that they could not say who had the expertise to enforce them. The Department of Defense has no experience with control systems. The audience was not left with a great feeling of comfort.
The initial session was followed by a panel – this included Baker, Schneck, Donna Dodson – NIST, Kevin Gronberg – Committee on Homeland Security (House Rep. Peter King), and Michael Peters – FERC.
Ms. Dodson of NIST, a non-regulatory agency, looked to the safety community for examples, working with NERC and FERC, trying to apply risk management processes. Cybersecurity experts must work with control system folks to build security in at the beginning.
Gronberg said that Chairman King’s committee addressed this issue just the week before. He would not comment on pending cyber legislation, other than to say that “active efforts” were in progress. He liked the report’s recommendations. Improving an ecosystem of authentication will help security overall. A compliance regime is important but not enough! You can be 100 percent compliant and still get hammered. He also noted that legislation will NOT be the end of the argument. Just having defensive systems is not sufficient. One must ask if they are being used correctly. We are “OK” at corporate IT security but poor at control system security.
Mr. Peters noted that slowness in tech and difficulty in HCM added problems to the issue. Stuxnet was a game changer, but it was not all that sophisticated. It “used” the control system features but did not really hack them.
The panel did a good wrap up – “You have to make the case.” Never try to solve a people problem with technology, but we do need to make the business case for better technology. We must have the metrics defined. We must choose what public-private partnership looks like, and that will take a national debate. They hoped companies will begin to recognize their interests are at stake. We all need to understand security (at home, at work, on control systems.)
Overall, the report is a good one (available from CSIS or McAfee), and the roll out session was well worth the time.