This past week was the National Electric Sector Cybersecurity Organization Resource (NESCOR) Summit in Washington, DC. It was a useful and productive session and seemed to achieve the goals laid out.
Erfan Ibrahim from EPRI set the stage, we broke into working groups to dig deeper into three major subtopics and then came back to one room to tie it all together.
My favorite part was an impromptu panel with Justin Searle of InGuardians, Andrew Wright from N-Dimension and myself at the end (“would I like a stage and a microphone?” are you kidding?). Very good discourse and it was definitely informed by the work of preceding days.
The working groups are continuing and evolving to identify and dig into issues, outputting tangible deliverables to assist DoE and other organizations’ decision making.
In May my colleague Guillermo Grande attended an ISA event in Madrid where CNPIC is following a similar path of engaging pertinent parties, setting up working groups and grinding through the problem of industrial control system security.
Watching the various engines of civil society warm up and set to addressing the daunting task of critical infrastructure cybersecurity is very interesting, like an episode of Build it Bigger. Some would say it is also very depressing or even very frightening.
I would disagree with those folks.
(crossposted from Infosec Island)
We have managed to rise to the challenge of securing the Internet so far, I think we will rise to the challenge of securing our physical infrastructure as well.
The shape of the war is well-known and we generally win it every day already. Winning the war does not mean winning every battle, as Sony keeps being reminded. Every day and sometimes in waves we hear of virtual entities ravaged by plagues of electronic locusts.
Locusts can make your life miserable for a while. But unless you have other problems already that make locusts particularly threatening, you will end up down at Home Depot one day. If need be, you will tarp the whole blasted place and bring in the big toys, then life will move on (well, not for the locusts so much).
You didn’t seriously think the locusts could win, did you?
Most of the famous cyber attacks to date have not destroyed companies. They have cost them in various forms, but most of them have continued on without much more than a Lesson Learned. For all the fuss TJ Maxx ‘s loss of millions of credit card numbers in 2007 caused, the company is worth twice today what it was then. From a “security as business insurance” perspective the event was just another challenge of being a company that worked out in the end.
Critical Infrastructure cybersecurity has caused a lot of people outside the space to have panic attacks, though. “This isn’t like IT where it is only zeros and ones, people’s lives are at risk!” A successful cyber attack against one or more of these systems could bring hacking into the world of physical loss, where pipes burst and dams fail and people die.
When you are dealing with people who know at a bone-deep and personal level what "Critical Infrastructure" means it puts that sort of actuarial point of view in a different light. Critical Infrastructure is what you give your heart and soul and often enough your life to build to the best of your ability, knowing that there are forces out there capable of tearing it all down.
Hurricane Katrina didn’t care that men and women gave decades of their lives to keep water out of the streets of New Orleans. The tsunami that hit the Fukushima nuclear reactors did not care that Masatoshi Toyota and hundreds of others made the safety and reliability of those systems their lives’ works.
This is the world those who have built the systems we all depend on live in. They build incredible structures that literally make the world a better place to be. The failure of these systems bears consequences most of us never have to face in our careers.
When despite all the sweat and sleepless nights one of these systems suffers catastrophic failure the people who built it shoulder the responsibility and clean up the mess and move on without a word of protest and few of appreciation.
The reality is that there is no way to guarantee that all of the critical systems underpinning modern culture will be safe from cyber attack. There will be more successful and more spectacular demonstrations of the fragility of these amazing architectures that are constantly and quietly being built for us behind the scenes of our daily lives.
As the rising storm of attacks against our infrastructure continues to escalate we will lose some battles. We can no more prevent that than civil engineers could have stopped the waves coming on shore in Japan or Jakarta. The impact of these losses may be more or less destructive, though, and that is something we can work to control.
TJ Maxx had its Katrina and today is a twenty billion dollar company: Albert Gonzalez went to jail for twenty years. The Internet and on average all of its tributaries is up and running from my desktop to yours at this very minute, despite best efforts to the contrary. Our critical infrastructure will experience a similar path: it will have its Sony Moments, and it will survive.
The processes of State more closely mirror the process of industrial engineering than they do the Internet entrepreneurialism and enterprise IT that information security people are more used to. It will take an incredible amount of time and effort to work through the complex issues associated with the cyber threat between your house and the hydroelectric station electrons flow to it from. But it took years of digging and dynamite and concrete and conduit to build the dam and get the power flowing in the first place. The fact that you have the current to read this shows that the work got done.
The cognitive and physical efforts of many people are being applied to industrial control system security today, and the workforce is expanding. The process will be flawed and the recommendations revised and the standards complained about. Public criticism of all or parts of the process will wax and wane. It will go on forever and incidents will occur and, yes, due to unforeseen or unaddressed issues these will almost definitely include incidents that cost human lives.
But the work will get done.
The best attitude we as information security people can take into ICS is to emulate the people who built the systems we aim to secure. Do the work to build the dams and levees, with all the diligence we can manage and none of the drama we can avoid. Then be prepared to rebuild them.
There is no need to add drama to the issue. It comes with enough of its own. We simply need to keep doing the work.
Chris Blas
k authored the first book on SIEM, "Security Information and Event Management Implementation", published by McGraw Hill. Today he is Vice President of Industrial Control Systems Group at AlienVault, the producer of the world’s most popular SIEM technology, and is on faculty at the Institute for Applied Network Security (IANS).
6 comments