Slow cyber progress puts critical infrastructure at risk

By Jared Serbu
Reporter
Federal News Radio

Cybersecurity changes being considered by both Congress and the Obama administration would give the federal government more oversight authority over the operators of the nation’s critical infrastructure. And a report issued Tuesday finds the nation’s grid operators may need some prodding when it comes to securing their systems from cyber attack.

McAfee, a computer security firm, sponsored the report, which researchers at the Center for Strategic and International Studies wrote as a follow on to their critical civilian infrastructure study from 2010. For the report, they interviewed 200 technology executives in the electricity, oil, gas and water sectors.

“What we found is that they are not ready,” the authors wrote. “The professionals charged with protecting these systems report that the threat has accelerated – but the response has not. Cyber exploits and attacks are already widespread. Whether it is cyber criminals engaged in theft or extortion, or foreign governments preparing sophisticated exploits like Stuxnet, cyber attackers have targeted critical infrastructure.”

Advertisement

Stuxnet, a piece of sophisticated malware that targets certain power control systems, struck in the period between CSIS’s first report and the one they released Tuesday. The new report found 40 percent of the firms surveyed by researchers found Stuxnet in their systems. Additionally, 80 percent said they had faced large-scale denial of service attacks and 85 percent reported that their networks had been infiltrated in some way over the past year. By comparison, fewer than half reported similar attacks in the previous year’s report.

Stewart Baker, a visiting fellow at CSIS, a former Homeland Security Department assistant secretary, and a co-author of the report, said researchers wanted to know what steps operators had taken to boost their protections in the face of increasing attacks.

“We didn’t want to ask them, ‘gee, are you doing more about security?’ Because everybody says yes,” he said. “So we actually came up with a list of 29 technologies…just a grab bag of security technologies. We asked them last year, and we asked them this year which of these technologies they’re using. They went from having 50 percent of those security measures deployed to having 51 percent of those measures.”

Baker said one possible explanation for the mismatch between the perceived threat and the response to it is that private companies don’t feel equipped to defend themselves in a cyber war alone.

“If you’re a private company and you’re faced with the prospect of an attack like Stuxnet, there’s a feeling of utter helplessness that descends on you,” he said. “What do you do about zero-day attacks, multiple zero-day attacks, thumb drive transport, people who are using the very data system you rely on sending out orders and then getting back false reports? You kind of say, ‘Geez, General Motors doesn’t have its own air defenses against nuclear attack. How am I supposed to solve this problem?’ Unfortunately, the response to that sense of helplessness is utter denial.”

Michael Peters, the cybersecurity advisor at the Federal Energy Regulatory Commission (FERC), said one problem is that even the energy control systems that are being produced today are not being engineered with security in mind, even as grid operators prepare to roll out a new generation of “smart grid” technologies.

And Peters, who said his comments reflected only his own opinions and not those of FERC, said bolting security onto those systems was inherently difficult.

“These things are very different from corporate IT,” he said. “We’re used to our IT systems rolling over every 18 months. In the critical infrastructures, we have equipment out there that has 40 or 50 year lifetimes. This stuff doesn’t roll over. A lot of the defenses that people might be aware of for corporate networks can’t just be slapped onto a control system, or else you might cause more harm than leaving them vulnerable.” Peters said infrastructure operators need to take a top-to-bottom look at their own systems and decide precisely what areas are in need of security attention.

“I recommend people have their best engineers and control system people look at their systems, and figure out, ‘how can we cause the most harm to this company and our customers?’ Because these experienced people know where the skeletons are buried,” he said. “They look at those things and point out those features and they fix them. And if everybody looks at their own selves and asks how they can keep their company profitable and keep providing the products and services that these control systems are designed to do, then everybody writ large will be better off. Right now, people are wondering how they fit into the bigger picture, when in reality I want them to protect themselves. If everybody protects themselves, then we just have to look at the seams to add some additional protections.”

The CSIS-McAfee report found that only 16 percent of U.S. critical infrastructure operators had their cybersecurity plans audited by any government agency, and 40 percent said they had no interaction at all with government on cyber matters. That’s compared to a 100 percent audit rate in Japan and 70 percent in China.

In the U.S., some legislative proposals would change that. The White House is reportedly circulating draft legislation that would give DHS new cybersecurity oversight of standards development and let it create a body of third party evaluators to assess whether or not private operators are meeting generally-accepted cybersecurity benchmarks.

Baker said DHS might indeed need new authorities in order to make informed decisions about the cybersecurity of the nation’s critical infrastructure.

“I’m struck by the fact that the Federal Trade Commission has never used the words ‘public-private partnership,'” he said. “They’ve got subpoena authority and fine authority. They get respect, and they get educated even if they don’t get respect. My sense is that DHS has probably taken the approach of hoping people will come in and giving them good refreshments about as far as it can, and that’s why we’re seeing these proposals.”

This story is part of Federal News Radio’s daily Cybersecurity Update brought to you by Tripwire. For more cybersecurity news, click here.

(Copyright 2011 by FederalNewsRadio.com. All Rights Reserved.)