GUEST POST WRITTEN BYMichael Assante
Mr. Assante is director of Industrial Control Systems as well as Supervisory Control and Data Acquisition Networks for the SANS Institute.
America’s critical
infrastructure—the utilities, refineries, military defense systems, water
treatment plants and other facilities on which we depend every day—has become
its soft underbelly, the place where we are now most vulnerable to attack.
Over
the past 25 years, hundreds of thousands of analog controls in these facilities
have been replaced with digital systems. Digital controls provide facility
operators and managers with remote visibility and control over every aspect of
their operations, including the flows and pressures in refineries, the
generation and transmission of power in the electrical grid, and the
temperatures in nuclear cooling towers. In doing so, they have made industrial
facilities more efficient and more productive.
But
the same connectivity that managers use to collect data and control devices
allows cyber attackers to get into control system networks to steal sensitive
information, disrupt processes, and cause damage to equipment. Hackers,
including those in China, Russia and the Middle East, have taken notice. While
early control system breaches were random, accidental infections, industrial
control systems today have become the object of targeted attacks by skilled and
persistent adversaries.
Industrial control systems are being targeted
The recently discovered Industrial Control System modules of the HAVEX trojan
are one example. The malware infiltrated an indeterminate number of critical
facilities by attaching itself to software updates distributed by control
system manufacturers. When facilities downloaded the updates to their network,
HAVEX used open communication standards to collect information from control
devices and send that information to the attackers for analysis. This type of
attack represents a significant threat to confidential production data and
corporate intellectual property and may also be an early indicator of an
advanced targeted attack on an organization’s production control systems.
Other
hacks represent a direct threat to the safety of U.S. citizens. Earlier this
year, the FBI released information on Ugly Gorilla, a Chinese attacker who
invaded the control systems of utilities in the United States. While the FBI
suspects this was a scouting mission, Ugly Gorilla gained the cyber keys
necessary for access to systems that regulate the flow of natural gas.
Considering
that cyber attackers are numerous and persistent—for every one you see there
are a hundred you don’t—those developments should sound alarms among executives
at companies using industrial controls and with the people responsible for
protecting American citizens from attacks. To their credit, both businesses and
the U.S. government have begun to take action; however, neither is adequately
addressing the core of the issue.
The threat isn’t static
Businesses
continue to believe that cybersecurity issues can be addressed solely through
technology. The problem was created by technology so the solution must be more
technology, they reason, ignoring the spirit of Einstein’s observation that “no
problem can be solved from the same level of consciousness that created it.”
Technology
is static and the threat is not. Hackers will always find a way to beat
technology-based solutions. That’s why we have to do more than create barriers
to keep out intruders. We have to man our digital borders with people who have
the same skill and determination as the attackers.
Similar to the use of
technology, the ability to regulate a solution is inherently limited.
Regulation creates a compliance mentality in which policies and investments are
based on achieving and maintaining compliance. Compliance is predictable, which
makes it the hacker’s best friend.
Lack
in security professionals who understand both digital security and control system
technology
Legislation (HR 3696) has been introduced in the U.S.
Congress that would increase the sharing of information related to control
system breaches to better arm security professionals to prevent future
breaches. That is a worthwhile goal; unfortunately, there is a dire lack of
security professionals with an understanding of both digital security and
control system technology to benefit from this information sharing.
Filling this gap is where the lion’s share of the
cybersecurity effort must go. It is estimated in the latest Project SHINE
report that the United States has more than half a billion control system
devices connected to the Internet. The SANS Institute, the largest
cybersecurity training organization in the world, estimates that in the U.S.
power industry alone thousands of new or existing control systems security
professionals must be deployed or further developed in the next five years to
adequately address the challenge of control system security within the electric
sector.
Steps
to fill the gap
The first step in that process is defining the baseline of knowledge required
by the new breed of security professional who will bridge the gap between
control system engineers and information technology security specialists.
This important first step has already been accomplished
with the development of the Global Industrial Cyber Security Professional
(GICSP) certification—developed through a joint effort by control system
manufacturers, control system users and security specialists. This
certification sets a standard that allows organizations at risk to build
control system security teams with the confidence that those teams have the
knowledge they need to be successful.
The second step is training. A training infrastructure
exists to support information technology security and this infrastructure must
now be expanded quickly to prepare a small army of engineers and technologists
for GICSP certification. A core group of industry veterans has established the
curriculum for such training and the early graduates of these classes are now
entering the workforce. The challenge will be scaling quickly to meet the
projected need for GICSP-trained professionals while providing continuing
education that allows certified professionals to expand their knowledge base
and share their experience.
The final step is knowledge sharing. As trained
professionals work actively to defend critical control networks they will
generate, and benefit from, shared information on vulnerabilities, threats and
best practices.
With the certification in place, the focus now needs to be
on training. The sooner we reach a critical mass of GICSP-certified
professionals, the sooner we will have a determined and dynamic force capable
of successfully defending the systems our country and its businesses depend on.
http://www.forbes.com/
No comments:
Post a Comment