Cyber Security & Critical Infrastructure Protection – Themes from TTC’s Symposium

Published: March 27, 2013

Cloud ComputingCritical Infrastructure ProtectionCybersecurityDEFENSEDHSIntelligenceMobilityPolicy and LegislationSequestrationShared ServicesDOT

I had the opportunity recently to attend a two-day symposium on Cyber Security & Critical Infrastructure Protection, hosted by the Technology Training Corporation. The event brought together federal government and industry cyber security experts from the various critical infrastructure sectors, including Energy, Homeland Security, Defense, Transportation, Communications/IT, Postal, Emergency Services, and Financial Services. The recurring theme throughout the event was the ongoing vulnerability that these sectors share and what they are doing about it

The symposium agenda included presenters from a range of governmental, quasi-governmental, non-profit, and private industry organizations with one underlying commonality – their interest in protecting critical infrastructure that is vulnerable due to the growing threat to the information technologies that have permeated this infrastructure. As has been the case with their other events that I’ve attended, the TTC team assembled a very broad array of leaders and experts across the field to provide a really comprehensive coverage of the topic. As events go, I get some of the best information in one place and at one time. Way to go, TTC!
 
Key Themes
 
As I heard from the presenters and interacted with them and other attendees, several themes and commonalities emerged.   Here are just a few.
 
Threats – the Changing Landscape
  • The threat vector has dramatically changed at the same time that laws are changing that put penalties on not securing your data. More is changing in this environment than is staying the same.
  • Some security practitioners have dropped the word “advanced” from the description of advanced persistent threat (APT) because they observe the vast majority of attackers using common attack approaches – the “open door” rather than “breaking a window.” The disparity in security capabilities is greater than the disparity in threat.
  • Mobility – The number of new mobile vulnerabilities being detected is growing almost exponentially each year, making mobility the biggest growing threat vector.
  • Cyber arms race is unlike any other arms race in history because it is frictionless. For example, it took 3 days for Stuxnet to be reverse-engineered, reproduced, and propagated. It taught everybody how to attack a SCADA system. It has also given rise to the private cyber arms manufacturer – people who build cyber-attack capabilities and sell them on the black market.
  • Personnel training to avoid risky behavior is the most important element of cybersecurity. NSA statistics show that  80 percent of exploitable vulnerabilities are a result of poor cyber hygiene. The other 20% is the APT.
  • Social engineering is a growing threat because, among other things, it gives the attackers a deeper understanding of how users and organizations behave, respond and think.
  • Growing cyber threats in the aviation sector target in-flight operations, ground support operations, air traffic managements systems, etc.
 
Cloud Computing Security – Key Challenges
  • Some agencies are moving to cloud services because of financial constraints, knowing of security risks and hoping security will follow soon afterward.
  • Some key challenges in effectively implementing Cloud include:
    • Contract structuring: How do you structure a contact offering when you don’t own the asset? How do agencies (GSA, etc.) effectively strengthen cloud acquisition policy and build in security into SLAs?
    • Clearance: what types of clearance levels are needed for people around the world who are supporting agencies or have access to their data, but are not necessarily part of a secure sector? Information sharing on threats, etc. is sensitive.
    • Incident response: When there is an incident, who do I call? The Cloud Service Provider (CSP) or the agency? 
 
Information Sharing – Culture Change is Needed
  • Information sharing is not an ends, it’s a means to an ends. In this context, it is needed to gain an effective shared situational awareness among shared stakeholders.
  • One challenge to information sharing stems from a sense of human preservation. We have a culture of not sharing information, while hackers have a culture of sharing widely.
  • Electricity Sector Information Sharing and Analysis Center (ES-ISAC) – Allows electric providers to share information in a non-compliance framework and encourages free flow of information without fear of compliance threat hanging over you. Effective sharing requires the freedom from the threat of sharing.
  • Cyber Federated Model (CFM) – the warfighter has great command and control (C2) information and the CFM intends to enable C2 for cyber indicator information. For example, an infected site is sent into the CFM and within a few minutes all other sites within the CFM get the information. Some sites have automated updates and the information sharer gets to control with whom they share.
  • One key to effective sharing includes the ability to be able to do it securely, i.e. share with assurance. Also, data must be anonymized to be shared, especially if the data is classified, sensitive or contains private information. Sensitive but unclassified information will need cooperative agreement between government and industry to set the boundaries for what each can do with the information they receive.
  • Automated information sharing should focus on machine-readable threat indicators to automate data flow and get people out of loop where possible. Currently, high-priority threat-level information is XML-based, but going forward organizations will need more visual analytics.
 
SCADA Systems – Unanticipated Vulnerabilities
  • SCADA (supervisory control and data acquisition) systems, and other industrial control systems (ICS) were never designed for networking, but they have been extensively. So we are now building monitoring capabilities in an attempt to detect and defend against attacks on systems that were never designed to withstand such attacks. 
  • Attacks like Stuxnet and Shamoon targeted energy sector systems and disclosed SCADA system vulnerabilities.
  • The patching treadmill – These control systems were never designed to be patched and/or shut down regularly. This patching can mean an entire plant must be shut down to complete the patch. This has the potential for unforeseen domino effects and implications for supply interruptions and other complexities.
  • Different organizations and unrelated sectors currently have different architectures and protocols for collecting and sharing threat information. What is needed is a common open-standards XML schema to communicate attacks in industrial control and other systems.
 
Regulation Versus Collaboration
  • There is not currently a consensus on how to proceed with administering cyber- and critical infrastructure protections, with significant polarization existing between competing regulatory/compliance and collaboration/incentive approaches. 
  • Comprehensive legislation (Lieberman-Collins, and others) that failed in the Senate included new and expanded regulatory and compliant elements over the private infrastructure community.
  • Some industries, like nuclear energy, have very mature regulatory environments and some assert that the success in this area is an example of positive regulation that should serve as a prototype for other infrastructure industries.
  • Public-private partnerships are essential. The Critical Infrastructure Partnership Advisory Council (CIPAC) and HSPD-7 were the predecessors to the latest Executive Order (EO) and Presidential Policy Directive (PPD-21).
 
Impact of Budget Limitations
 
Budget constraints multiply the challenges that disparate critical infrastructure sectors and federal agencies face as they look to secure their assets and protect their information. This is driving some federal agencies to look to shared services to establish a common security approach and leverage their collective buying power. 

As for the current budget sequestration, several government representatives at the symposium noted that they had been fortunate so far, with the greatest impact being to restricted travel budgets for speaking and outreach. (They were based here in D.C.) But they could still travel to perform their site assessments as needed. We will see how ongoing budget constraints shape cyber and infrastructure protection plans going forward.

---
Follow me on Twitter
@GovWinSlye.