Friday, January 17, 2014

Cyberwarfare is a bigger threat to U.S. than terrorism – now what?

Defense News released last week the results of a poll in which nearly half of the U.S. national security leaders who responded cited cyberwarfare as the most serious threat facing the country, ranking it higher than terrorism or China. The alarm bells have been ringing for some time now – the sound got louder last year, when President Obama issued an executive order to update the National Institute of Standards and Technology (NIST) cybersecurity framework. With this latest survey it seems that a consensus is starting to emerge that yes, cyberattacks are a real threat and something must be done to better secure the nation’s critical infrastructures.  While it’s encouraging to see this issue finally getting the attention it deserves, the question still remains “will anything will be done about it?”

Unfortunately, it will probably take a large-scale attack for some utilities to get serious about improving security defenses. This is because many utilities base their risk models on the likelihood of an attack – and without a significant event to reference, the probability of future attack must be low, right? In fact, all it takes is one significant event to trigger the risk models, and no utility wants to become the new poster child for critical infrastructure cyberattacks – one that will be talked about and analyzed for years to come. While the first big attack will almost certainly light a fire underneath utilities, this isn’t something we can afford to wait for when power, or clean water, or clean air for millions of people are at risk.

There is progress to report. The North American Electric Reliability Corporation (NERC) recently updated its Critical Infrastructure Protection (CIP) standards to Version 5, which is a marked improvement over Versions 3 and 4. These standards will go a long way in bringing power grid security up to par by encouraging the adoption of new technologies that are stronger than firewalls.

Firewalls are no match for the advanced level of today’s cyber threats. It’s like going into battle using paper clips for armor. Years ago, a lot of us were confident that a firewall would block the vast majority of cyberattacks, whether we were right or not. Nowadays, firewall limitations are well-known in both white-hat and black-hat communities. The problem is that security practitioners in utilities often have trouble communicating this risk to the management teams who control security budgets. These teams often don’t understand just how poor their defenses are until someone shows them how easy it is to breach those defenses. Hiring a penetration tester is a good way to expose poor defenses, before our enemies do.

NERC has recognized the value of Unidirectional Security Gateways. What will it take to communicate the risk to other decision-makers? Sometimes what it takes is a security breach – malicious or benign – to change our thinking. Better a white-hat penetration-testing breach, than waiting to become a poster child for a black-hat cyberattack. 

Friday, January 10, 2014

Strategic Defence Intelligence recognizes Waterfall Security’s achievements in protecting critical infrastructure

There’s a familiar name in the Strategic Defence Intelligence and Global Defence Technology Awards – Ones to Watch 2013: Waterfall Security. The awards recognize outstanding achievements in defense technology and innovation, validating Waterfall’s unidirectional security gateway technology as stronger than firewalls and underscoring the potential for protecting our nation’s critical infrastructure.

In its announcement of the shortlist of recipients, Strategic Defence Intelligence says that:

Waterfall Security’s Unidirectional Security Gateway solutions offer effective protection for safety-critical and reliability-critical networks. Unlike competitors that specialise in military and government requirements only, Waterfall’s products cater extensively to the industrial space as well, important when you consider that some of the most sophisticated attacks emanate from outside conventional warfare.”

Highlighted in the assessment of Waterfall’s solutions is our Waterfall for Bulk Electric System (BES) Control Centers, protecting two-way communications via hardware-enforced Unidirectional Security Gateways replicating inter-control-center protocol (ICCP) communications endpoints in two directions.

Last year saw renewed focus in the vulnerability of our nation’s critical industrial infrastructures to cyberattacks. In February, President Barack Obama signed an executive order requiring the National Institute of Standards and Technology (NIST) to create a cybersecurity framework, a preliminary version of which was announced this past fall. (See our take on the framework here.) Perhaps the biggest news of 2013 was the Federal Energy Regulatory Commission (FERC) approval of the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Version 5 standards, replacing the ineffectual Version 4 and allowing utilities to move forward with strengthening security programs

While there is still a lot of work to be done, we are optimistic that 2014 will see improvements made in securing the nation’s power grids and other critical industrial infrastructures. The more we talk, the more advanced our adversaries become. Firewalls are no match, and it’s time to take action to better secure our infrastructures.