It would seem that the more attention that is paid to cybersecurity threats to national critical infrastructure, the greater the number of issues that are uncovered. In February 2013, the Obama Administration released a presidential directive to address how we manage and secure critical infrastructure, which includes the power grid, water treatment facilities, food and agriculture supply chains, as well as emergency services.
While the need to protect IT networks remains a priority, creating a separate plan for critical infrastructure is imperative since these systems post a unique set of challenges says Marc Blackmer, Senior Manager of Industry Solutions at Sourcefire. Because control networks – the ones that are tasked with opening and closing valves and regulating generators and electricity flow, for instance, haven’t historically been connected to a traditional IT network, they tend to have fallen behind in the realm of cybersecurity as well as reliable service delivery. However, Blackmer notes that even when they are closed systems, that is when they aren’t connected to external networks (or “air-gapped”), it doesn’t mean they aren’t vulnerable to cybersecurity threats. Blackmer went on to add “critical infrastructure is more exposed due to some well-recognized and rampant vulnerabilities, and just look at the impact of Stuxnet on the idea of the air gap as an inpenetrable defense.”
With the prospect of having a debilitating impact on national security, economic stability, and public health and safety, the Department of Homeland Security (DHS), government agencies at all levels, and the operators of critical infrastructure are taking steps toward reducing vulnerabilities, minimizing consequences, identifying and disrupting threats, and hastening response and recovery efforts related to critical infrastructure.
A recent report in The Wall Street Journal, though, indicates budget cuts are forcing DHS to scale back training and information sharing activities related to protecting critical infrastructure. Over the last several months the government has cancelled two conferences and recently announced the cancelation of three training sessions focused on teaching utilities how to defend against cyber attacks. To work around these budgetary limitations and to continue to support the presidential directive, the DHS has joined a growing number of agencies in supporting public-private partnerships. For agency heads, public-private partnerships are the key to making progress with cyber security defense of critical infrastructure – particularly as most critical infrastructure in the U.S. is owned by the private sector.
With many threat vectors in play, including insider threats, Blackmer says an integrated approach to cyber security is a must. For Blackmer, an integrated approach is one where prevention is part of the plan, but not the only plan; where an acceptance of the possibility of an attack empowers the security team to defend the network. By seeing the network on a continuum where it is viewed in all phases, not just in the moment of an attack, the security team will be better equipped tot address vulnerabilities. Given that the ‘before’ phase is the most often overlooked phase, Blackmer stresses the importance of including passive solutions that detect anomalies over time. Gathering that data into a reference architecture will further strengthen security posture for critical infrastructure. Blackmer also counsels those tasked with protecting these important networks to not be afraid of starting small, building a solid foundation, rather than trying to fix everything at once. As he quipped “throwing technology at the problem and hoping for the best is a recipe for failure, and with critical infrastructure, the stakes are just too high. Rather, an integrated defense-in-depth approach will yield stronger results both immediately and over time.”
The National Institute of Standards and Technology and other groups are continuing to gather input and thoughts around a framework related to taking the best steps toward protecting critical infrastructure. A successful approach will require further discussion, cooperation and ultimately an integrated effort between private and public sector organizations.
Blackmer says that the situation many managers find themselves in when trying to decide where to focus their energies and budgets is not much different from a new home owner walking into Home Depot and wondering, ‘what do I do with all this stuff?’ In other words, education will go a long way to help IT and OT teams find common ground and collaborate to implement the best standards of protection for today, as well as the future.