By Inga Goddijn, CIPP/US, Risk Based Security, Inc.
The prognosticators have peered into their collective crystal ball and the outlook isn’t good.
According to some security researchers and regulatory authorities, we are on the brink of a new kind of war, waged in cyber space, with a single-minded focus on exploiting security weaknesses in our critical infrastructure in order to cause havoc in our communities.
There have even been a handful of high profile examples held up as early warning beacons, such as the alleged Iranian hacking of the control systems for a flood-control dam located in Rye Brook, New York and the targeting of the Ukrainian power grid, supposedly perpetrated by Russian hackers as part of the ongoing conflict in Eastern Ukraine.
While the Rye Brook hacking incident has been largely discredited as nothing more than a random port scan and doubts linger about the underlying causes of the power outages in the Ukraine, the specter of cyber attackers targeting our most critical infrastructure has generated significant attention – and dire warnings – from the public and private sectors alike.
But how imminent is the threat, really?
Other than the Stuxnet worm, which was deliberately deployed to cause physical damage to centrifuges used in Iran’s nuclear development program, and the occasional ransomware infection that can hit any organization, there are precious few examples of successful cyber attacks against infrastructure providers.
In fact, there have been so few documented incidents that a handful of security researchers have launched a tongue-in-cheek project known as Cyber Squirrel 1, dedicated to gathering evidence that the #1 “attacker” targeting the electrical grid is wildlife, especially squirrels.
Setting aside the hype and obvious doomsday scenarios, there are good reasons why infrastructure security has come to the forefront recently.
Top on the list would be the industry-accepted recognition that supervisory control and data acquisition (SCADA) systems and related industrial control systems (ICS) are just as prone to vulnerabilities as any other technology, but can be notoriously difficult – if not impossible – to patch.
Meaning, once a new weakness is identified, it is not always possible to update or fix the issue at all, let alone address it in a timely manner. This can happen with older systems or devices that were never designed for Internet connectivity or when developers fail to include the mechanisms necessary for allowing software updates.
It’s easy to see how the combination of weakened systems deployed in some of our most important infrastructure operations would be sufficient to start setting off alarm bells, even if worst-case scenarios have yet to occur.
Another reason for the interest is due to the launch of the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. Recognizing that protecting critical infrastructure is in the national interest, NIST was tasked with gathering various industry standards and best practices and incorporating them into a unified framework for managing cyber risk. The Framework, which was formally launched in February of 2014, looked to many of the same best practices that were used for creating the YourCISO service and endorsed by a coalition of public and private infrastructure operators.
Rather than creating something from scratch, the working group focused on assembling cyber security guidelines and practices that were already shown to be working effectively. The collaborative approach, coupled with the frameworks’ focus on flexible and risk-based management strategies, has made it a popular reference point for operators.
Despite the attention the framework has generated, wide-spread adoption has yet to take hold. Voluntary compliance and a target audience of private entities have hindered broad implementation. Also, with 22 different security domains and 98 control objectives, tackling the framework can be overwhelming for all but the largest organizations.
It remains to be seen whether our infrastructure will become a new front line for malicious attackers. Regardless, sound cyber risk management practices coupled with evidence-based control strategies like those found in the NIST framework and YourCISO will remain the most effective way to combat whatever new threats might emerge.
Learn more about YourCISO and other cyber security resources here.