Wednesday, November 12, 2014

America's Critical Infrastructure Is Vulnerable To Cyber Attacks-11/11/2014 @ 6:07PM

GUEST POST WRITTEN BYMichael Assante
Mr. Assante is director of Industrial Control Systems as well as Supervisory Control and Data Acquisition Networks for the SANS Institute.
America’s critical infrastructure—the utilities, refineries, military defense systems, water treatment plants and other facilities on which we depend every day—has become its soft underbelly, the place where we are now most vulnerable to attack.
Over the past 25 years, hundreds of thousands of analog controls in these facilities have been replaced with digital systems. Digital controls provide facility operators and managers with remote visibility and control over every aspect of their operations, including the flows and pressures in refineries, the generation and transmission of power in the electrical grid, and the temperatures in nuclear cooling towers. In doing so, they have made industrial facilities more efficient and more productive.
But the same connectivity that managers use to collect data and control devices allows cyber attackers to get into control system networks to steal sensitive information, disrupt processes, and cause damage to equipment. Hackers, including those in China, Russia and the Middle East, have taken notice. While early control system breaches were random, accidental infections, industrial control systems today have become the object of targeted attacks by skilled and persistent adversaries.
Industrial control systems are being targeted
 The recently discovered Industrial Control System modules of the HAVEX trojan are one example. The malware infiltrated an indeterminate number of critical facilities by attaching itself to software updates distributed by control system manufacturers. When facilities downloaded the updates to their network, HAVEX used open communication standards to collect information from control devices and send that information to the attackers for analysis. This type of attack represents a significant threat to confidential production data and corporate intellectual property and may also be an early indicator of an advanced targeted attack on an organization’s production control systems.
Other hacks represent a direct threat to the safety of U.S. citizens. Earlier this year, the FBI released information on Ugly Gorilla, a Chinese attacker who invaded the control systems of utilities in the United States. While the FBI suspects this was a scouting mission, Ugly Gorilla gained the cyber keys necessary for access to systems that regulate the flow of natural gas.
Considering that cyber attackers are numerous and persistent—for every one you see there are a hundred you don’t—those developments should sound alarms among executives at companies using industrial controls and with the people responsible for protecting American citizens from attacks. To their credit, both businesses and the U.S. government have begun to take action; however, neither is adequately addressing the core of the issue.
The threat isn’t static
Businesses continue to believe that cybersecurity issues can be addressed solely through technology. The problem was created by technology so the solution must be more technology, they reason, ignoring the spirit of Einstein’s observation that “no problem can be solved from the same level of consciousness that created it.”
Technology is static and the threat is not. Hackers will always find a way to beat technology-based solutions. That’s why we have to do more than create barriers to keep out intruders. We have to man our digital borders with people who have the same skill and determination as the attackers.
Similar to the use of technology, the ability to regulate a solution is inherently limited. Regulation creates a compliance mentality in which policies and investments are based on achieving and maintaining compliance. Compliance is predictable, which makes it the hacker’s best friend.
Lack in security professionals who understand both digital security and control system technology
Legislation (HR 3696) has been introduced in the U.S. Congress that would increase the sharing of information related to control system breaches to better arm security professionals to prevent future breaches. That is a worthwhile goal; unfortunately, there is a dire lack of security professionals with an understanding of both digital security and control system technology to benefit from this information sharing.
Filling this gap is where the lion’s share of the cybersecurity effort must go. It is estimated in the latest Project SHINE report that the United States has more than half a billion control system devices connected to the Internet. The SANS Institute, the largest cybersecurity training organization in the world, estimates that in the U.S. power industry alone thousands of new or existing control systems security professionals must be deployed or further developed in the next five years to adequately address the challenge of control system security within the electric sector.
Steps to fill the gap
The first step in that process is defining the baseline of knowledge required by the new breed of security professional who will bridge the gap between control system engineers and information technology security specialists.
This important first step has already been accomplished with the development of the Global Industrial Cyber Security Professional (GICSP) certification—developed through a joint effort by control system manufacturers, control system users and security specialists. This certification sets a standard that allows organizations at risk to build control system security teams with the confidence that those teams have the knowledge they need to be successful.
The second step is training. A training infrastructure exists to support information technology security and this infrastructure must now be expanded quickly to prepare a small army of engineers and technologists for GICSP certification. A core group of industry veterans has established the curriculum for such training and the early graduates of these classes are now entering the workforce. The challenge will be scaling quickly to meet the projected need for GICSP-trained professionals while providing continuing education that allows certified professionals to expand their knowledge base and share their experience.
The final step is knowledge sharing. As trained professionals work actively to defend critical control networks they will generate, and benefit from, shared information on vulnerabilities, threats and best practices.
With the certification in place, the focus now needs to be on training. The sooner we reach a critical mass of GICSP-certified professionals, the sooner we will have a determined and dynamic force capable of successfully defending the systems our country and its businesses depend on.
 http://www.forbes.com/

No comments:

Post a Comment