As the summer enjoyed its last hurrah, industrial cybersecurity became a hot topic in the news. In August, we saw the U.S. Department of Homeland Security working to increase security measures with a new committee, and the National Institute of Standards and Technology’s put out a new proposal to improve international standards in cyberspace. Underlying these developments are the ever-present myths and real threats against our critical infrastructure. For details on these stories and more, check out our monthly snapshot of important industrial cybersecurity news below.
Five myths of industrial control system security (SC Magazine, Aug. 20, 2015)
Despite widespread concern about cyberattacks on industrial control systems, IT security models continue to use outdated methods of cybersecurity based on several unfortunate myths. The belief that firewalls provide adequate protection of our critical infrastructure is one myth that perpetuates despite proof to the contrary. The fact is, firewalls offer only a small amount of protection, but not enough to protect our irreplaceable power grids or the many lives that could be affected by an industrial cyberattack.
Five Reasons The U.S. Power Grid Is Overdue For A Cyber Catastrophe (Forbes, Aug. 19, 2015)
The U.S. power grid is long overdue for a cyberattack, according to Forbes contributor and CEO of think tank Lexington Institute, Loren Thompson. The security community has noticed an increase in the number of attacks on industrial control systems used to operate the power grid, a majority of which were cyber-related. Thompson noted several reasons for this increase including the grid’s numerous vulnerabilities, consistent oversights in its regulatory structure and a lack of financial incentives to encourage security investments in the industry.
Homeland Security moves to prevent attack on power grid (The Hill, Aug. 14, 2015)
The U.S. Department of Homeland Security is creating a new committee to boost digital defenses for the industrial sector. The reason behind this decision is the increasing risk of cyberattacks to critical infrastructure sites, especially as electric grids are getting smarter. Homeland Security Secretary Jeh Johnson called for the panel to identify how well the department’s “lifeline sectors” are prepared to deal with threats and recover from a cyberattack. The committee is also tasked with providing recommendations for a more unified approach to state and local cybersecurity.
A Critical Time for Critical Infrastructure (Light Reading, Aug. 13, 2015)
According to a recent Intel Security and Aspen Homeland Security Program report, operators of critical infrastructure are over-confident in their ability to defend against attacks and misunderstand the scale of the current threat environment. In North America, this reality is one of the forces behind the North American Electric Reliability Corporation's (NERC) Critical Infrastructure Protection (CIP) requirements. NERC CIP Version 5 calls for utilities of all sizes to meet new cyber security protection requirements and has a compliance deadline of April 2016.
NIST identifies objectives for cyber standards (FCW, Aug. 11, 2015)
The National Institute of Standards and Technology recently drafting a new proposal, which includes four broad objectives for the government’s pursuit of international standards in cyberspace: improve national and economic security, ensure standards are technically sound, support standards that promote international trade, and develop standards in tandem with industry to boost innovation. If fully implemented, NIST declares the guidance will “enable a comprehensive United States cybersecurity standardization strategy.”
Interested in reading more cybersecurity news? Check out last month’s news roundup.