Adfero Group HSPI

Once again, America is officially under attack. According to multiple reports, including an “incident response” report from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), U.S. natural gas pipeline companies are at the center of a major cyber attack campaign. While I’m certain that some in Congress will use this latest cyber attack campaign as fodder to further their cyber security legislation, I do not believe we can legislate our way out of this problem.

It is always difficult to fully absorb the lessons from wide-scale crises in the wake of the catastrophe. Information is often incomplete or contradictory, or still evolving. Learning these lessons, however, provides an opportunity to address the shortfalls of catastrophic disaster response.

The EPA was set to disregard the counsel of the Department of Justice, water system owners/operators and security experts by posting the non-Off-site Consequence Analysis (non-OCA) sections of the water sector’s RMPs this summer. Amid industry outcry, the EPA changed course and decided to postpone re-establishing public Internet access for certain highly security sensitive categories of information collected by its Risk Management Plan (RMP) Program. Irwin Fletcher said, “It takes a big man to admit when he’s wrong. I am NOT a big man.” Such is the case with the EPA.

Ten years from now, global water shortages are likely to threaten U.S. security interests. Ask the Director of National Intelligence, the Defense Intelligence Agency or someone from the Central Intelligence Agency; better yet, read the most recent National Intelligence Estimate. According to a senior U.S. intelligence official who briefed reporters on this issue (on condition of anonymity), there is an increasing likelihood that water will be “potentially used as a weapon, where one state denies access to another.”

Major disasters are relatively rare in Cyprus. Other than a magnitude 6.8 earthquake in 1996 that did not result in any casualties (but was the largest since 1953), annual wildfires and droughts, the island nation has generally avoided the brunt of manmade or natural disasters. But alas, tranquillity breeds complacency. In 2011, 98 containers of improperly stored explosives exploded in Cyprus with devastating impacts on human life, infrastructure and the Cypriot economy. Now is the time for Cyprus to address the hazards it faces.

There comes a time when sharing too much information is a dangerous thing, and this is what the Environmental Protection Agency is about to do. In June, the EPA plans to establish Internet access for the public to view the non-Off-site Consequence Analysis (non-OCA) sections of the water sector’s Risk Management Plans (RMPs). The announcement from the Office of Emergency Management cites burdens associated with Freedom of Information Act requests and a need from the FBI and others for greater access to non-OCA data. Here are my two biggest problems with what EPA plans to do.

The two distinctly different Senate Cyber-Security bills currently making their way through the US Congress respond to the ever-increasing cyber assaults on the US, and particularly the CIKR sectors. It is clear that action must be taken to further harden our IT systems from these asymmetrical and often successful attacks. But remember cyber-security is a balancing act based on the risk tolerance of corporations and agencies. We have enough regulations already in place. What we need is more information sharing on a two-way street.

Today’s reality is the Internet is the repository of a huge and growing amount of code (including malware) whose origin and ultimate purpose are unknown. Yet, well-intentioned, repeated government calls for action have not and will not fix a problem enabled by globally deployed technologies. There has been (and continues to be) a great deal of rhetoric and staff activity on the subject, rhetoric is not results and activity is not accomplishment. The current approach to ensuring the operation of America’s critical infrastructures can only be characterized as lessons-observed because we have failed to change our behavior.

By Michael Balboni
In an op-ed for Newsday, I examined Secretary Napolitano’s announcement of a National Strategy for Supply Chain Security, noting that it only mentioned the importance of physical security. Surprisingly, cyber threats were left completely off the table, though it is crucial to recognize that both these threats are actually inexorably intertwined.

By Doug Doan
For anyone who needed a reminder of just how botched and dysfunctional it is to build or improve a border crossing, take a look at the toxic debate over the Keystone Pipeline. Fierce politics, nasty in-fighting, delay, distortion and misdirection all become standard fare. The Presidential Permit process was supposed to bring order and discipline to building anything across the border linking the United States, Canada and Mexico. But what a mess it has become. Every new idea must navigate an increasingly complicated bureaucratic gauntlet.

Following the recent attention given to the water sector’s vulnerability to cyber intrusion, there’s been a lot of talk about what went wrong, whose fault it was and why changes need to be made in the sector. However, the challenge in addressing the water sector’s cyber security posture isn’t in outlining existing problems, but rather in generating realistic, affordable and timely solutions to mitigate them. My concern is that we may just keep talking about the problem without actually doing anything about it.

Since news broke last week about a suspected cyber attack on an Illinois water utility, media, government and industry have probed the ramifications for U.S. critical infrastructure protection (CIP). Though DHS and FBI later found no attack had occurred, the incident does highlight vulnerabilities in the way utilities are secured against cyber threats. To understand these complex issues, reporters turned to water security expert, Catalyst Partners principal and Security Debrief contributor Vance Taylor.

By Rob Strayer
It is an unfortunate modern reality that cyber attacks are commonly used to steal money from businesses and individuals. Cyber attacks that disrupt or destroy physical assets, on the other hand, have been rare up to this time. The news over the weekend that a terrorist organization was able to finance its activities by hacking AT&T business customers’ telecommunications accounts represents a new and disturbing development in the use of cyber attacks by terrorists.

As happy/relieved as I am to know that the Russians aren’t out to disrupt our water services, it is important to note that a water system in South Houston was the victim of a real cyber attack. (You’ll recall it occurred in direct response to DHS downplaying of the reported situation in Illinois).The would-be attack, and the actual one, are stark reminders that the threat of cyber attacks are real.

I have read several articles on the recent water plant cyber intrusion that damaged a pump in a small utility firm’s facility in Illinois. I am not a digital forensics analyst, but I do find the reactions very interesting. Frankly, I don’t know what the Water Plant incident really means, but at this point neither does anyone else. Can we afford to dismiss it, even if it turns out to be amateur hackers? I have said this before; the sky is not falling! However, we still need to up our vigilance and recognize that we have enormous vulnerabilities and competent adversaries.

In the wake of “National Preparedness Month,” over the weekend the first edition of the National Preparedness Goal (NPG) was released. The NPG correctly recognizes resilience as a fundamental component of national preparedness – a desired outcome. The issue, however, is not what America can do but rather what America will do. There can be little doubt that since 9/11, America is far more physically protected. However, contrary to the assertion in the NPG, and as protected infrastructure failures and nature-driven consequences continue to demonstrate, America is anything but more prepared.

Again the other day, another of our government cyber leaders delivered the usual canned speech about how we must increase our defenses – read expand budgets/personnel – to defend ourselves against an “electronic Pearl Harbor.” And so, once again, the muscles in the back of my neck begin to stiffen wondering when they are going to stop saying this and if, some day, they will arrive in the 21st century. Cyber attacks – they are not wars – are not about total destruction but death by a thousand cuts.

The world has faced tragic events of late: the Japanese earthquake and tsunami; the tragic bombing and shooting in Oslo, Norway; and post-Hurricane Irene floods along the U.S. East Coast. With these and other ever-present threats to our critical infrastructures and way of life, the National Defense Industrial Association’s (NDIA) 2011 Homeland Security Symposium is “Disasters: Preparing, Surviving and Responding to Dynamic Threats.”

In response to a recent DHS report citing concerns about the ability of insiders to cause significant damage at water utilities, Sen. Chuck Schumer is set to introduce legislation that would mandate FBI background checks for employees at drinking water and wastewater plants. While I understand Senator Schumer’s logic, Congress would be wise to hit the “pause” button before introducing new regulatory mandates so it can reexamine our current national approach to addressing water security.

An electromagnetic pulse (EMP) attack – produced by a nuclear weapon detonated at a high altitude or by a geomagnetic storm – has the potential to decimate America’s electrical and technological infrastructure. The Commission to Assess the Threat to the United States from Electromagnetic Pulse Attack found that an EMP is a threat to our society and military. Yet, despite broad consensus, Congress has yet to act in a substantive manner. For the most part, U.S. government agencies have not taken planning for their response to an EMP attack out of the theoretical stages.