Defense News released last week the results of a poll in
which nearly half of the U.S. national security leaders who responded cited cyberwarfare
as the most serious threat facing the country, ranking it higher than terrorism
or China. The alarm bells have been ringing for some time now – the sound got
louder last year, when President Obama issued an executive order to update the
National Institute of Standards and Technology (NIST) cybersecurity framework. With
this latest survey it seems that a consensus is starting to emerge that yes,
cyberattacks are a real threat and something must be done to better secure the
nation’s critical infrastructures. While
it’s encouraging to see this issue finally getting the attention it deserves,
the question still remains “will anything will be done about it?”
Unfortunately, it will probably take a large-scale attack
for some utilities to get serious about improving security defenses. This is
because many utilities base their risk models on the likelihood of an attack –
and without a significant event to reference, the probability of future attack must
be low, right? In fact, all it takes is one significant event to trigger the
risk models, and no utility wants to become the new poster child for critical
infrastructure cyberattacks – one that will be talked about and analyzed for
years to come. While the first big attack will almost certainly light a fire
underneath utilities, this isn’t something we can afford to wait for when power,
or clean water, or clean air for millions of people are at risk.
There is progress to report. The North American Electric
Reliability Corporation (NERC) recently updated its Critical Infrastructure
Protection (CIP) standards to Version 5, which is a marked improvement over
Versions 3 and 4. These standards will go a long way in bringing power grid
security up to par by encouraging the adoption of new technologies that are stronger
than firewalls.
Firewalls are no match for the advanced level of today’s
cyber threats. It’s like going into battle using paper clips for armor. Years
ago, a lot of us were confident that a firewall would block the vast majority
of cyberattacks, whether we were right or not. Nowadays, firewall limitations
are well-known in both white-hat and black-hat communities. The problem is that
security practitioners in utilities often have trouble communicating this risk
to the management teams who control security budgets. These teams often don’t understand
just how poor their defenses are until someone shows them how easy it is to
breach those defenses. Hiring a penetration tester is a good way to expose poor
defenses, before our enemies do.
NERC has recognized the value of Unidirectional Security
Gateways. What will it take to communicate the risk to other decision-makers?
Sometimes what it takes is a security breach – malicious or benign – to change
our thinking. Better a white-hat penetration-testing breach, than waiting to
become a poster child for a black-hat cyberattack.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.