Defense News released last week the results of a poll in which nearly half of the U.S. national security leaders who responded cited cyberwarfare as the most serious threat facing the country, ranking it higher than terrorism or China. The alarm bells have been ringing for some time now – the sound got louder last year, when President Obama issued an executive order to update the National Institute of Standards and Technology (NIST) cybersecurity framework. With this latest survey it seems that a consensus is starting to emerge that yes, cyberattacks are a real threat and something must be done to better secure the nation’s critical infrastructures. While it’s encouraging to see this issue finally getting the attention it deserves, the question still remains “will anything will be done about it?”
Unfortunately, it will probably take a large-scale attack for some utilities to get serious about improving security defenses. This is because many utilities base their risk models on the likelihood of an attack – and without a significant event to reference, the probability of future attack must be low, right? In fact, all it takes is one significant event to trigger the risk models, and no utility wants to become the new poster child for critical infrastructure cyberattacks – one that will be talked about and analyzed for years to come. While the first big attack will almost certainly light a fire underneath utilities, this isn’t something we can afford to wait for when power, or clean water, or clean air for millions of people are at risk.
There is progress to report. The North American Electric Reliability Corporation (NERC) recently updated its Critical Infrastructure Protection (CIP) standards to Version 5, which is a marked improvement over Versions 3 and 4. These standards will go a long way in bringing power grid security up to par by encouraging the adoption of new technologies that are stronger than firewalls.
Firewalls are no match for the advanced level of today’s cyber threats. It’s like going into battle using paper clips for armor. Years ago, a lot of us were confident that a firewall would block the vast majority of cyberattacks, whether we were right or not. Nowadays, firewall limitations are well-known in both white-hat and black-hat communities. The problem is that security practitioners in utilities often have trouble communicating this risk to the management teams who control security budgets. These teams often don’t understand just how poor their defenses are until someone shows them how easy it is to breach those defenses. Hiring a penetration tester is a good way to expose poor defenses, before our enemies do.
NERC has recognized the value of Unidirectional Security Gateways. What will it take to communicate the risk to other decision-makers? Sometimes what it takes is a security breach – malicious or benign – to change our thinking. Better a white-hat penetration-testing breach, than waiting to become a poster child for a black-hat cyberattack.