Q&A: The critical infrastructure and digital security
Brian M. Ahern is president and CEO of Industrial Defender, the world’s fastest growing SCADA security company. In this interview, he discusses the security of critical infrastructures, the protection of digital resources and threat evolution.
Panic and wild speculation in the media aside, how vulnerable do you see the world’s critical infrastructures to cyber attack?
In today’s fast paced business environment, mission critical process control and SCADA networks are now connected to corporate networks in order to improve business efficiencies and profitability by providing real time data access from production systems to business systems. Remote access to Process Control/SCADA networks for employees and vendors is an increasingly common trend intended to help improve operational efficiency.
Though these business efficiency gains can be good for the top and bottom line, the reality is that they increasingly expose critical infrastructure networks to cyber security risks and vulnerabilities.
That said, the Obama administration has made some very positive movements in securing the nation’s critical infrastructure. Recently introduced cyber security legislation by Congress, including the bills proposed by Senators John Rockefeller (D-W. Va.) and Olympia Snowe (R-Maine), the Critical Electric Infrastructure Protection Act proposed by Sen. Joseph Lieberman (I-Conn) and Rep. Bennie Thompson (D-Miss.) as well as the Bulk Power System Protection Act proposed by Edward Markey (D-Mass.) and Rep. Henry Waxman (D-Calif), also underscore the need for greater cyber security protection of the United States’ critical infrastructure operating systems.
While these are necessary first steps, another primary issue that needs to be addressed in the new legislation is the incentive for the private sector to openly disclose incidents within critical infrastructures. To date, there has been an industry reluctance to escalate incidents to the federal government. However, there is a way to leverage technology to provide an overview of the nation’s cyber security posture, while also providing the ability to drill down more specifically, with safe-harbor protection, to more specifics on the incidences, leading to an increase in overall public safety.
What are the critical steps can one take in order to make sure their company’s digital resources are protected?
1) Security Policy – Entities with critical infrastructure assets should have the appropriate cyber security processes and procedures in place to effectively protect the SCADA/Process Control Network environments. In order to have an effective policy in place, the critical infrastructure entity should first understand the state of security within their SCADA/Process Control environment by taking the following steps:
2) Vulnerability Assessment – Once a comprehensive vulnerability assessment has been completed, a report will be generated which details the physical and cyber security risks and vulnerabilities. The vulnerability report should provide extensive data and analysis of the security posture of the Process Control/SCADA environment and enable the entity to implement an effective mitigation strategy to protect all digital cyber assets.
3) Physical Security – Physical access to cyber assets on the Process Control/SCADA network is one of the most overlooked aspects of protecting digital assets. Physical access to the network should be closely monitored and managed by a strict access policy which covers the IT department, employees, contractors and vendors.
4) Layered Security Protection – It is critically important to create a layered “Defense-in-Depth” approach to securing digital assets within the industrial control and SCADA network. An effective Defense-in-Depth cyber security strategy begins with creating the Electronic Security Perimeter (ESP), which protects the industrial control and SCADA network from external cyber risks and vulnerabilities which exist on the Internet, external networks and remote access. The inside of the network should be supported through the use of Intrusion Detection Systems (IDS) which can monitor the network and the specific computers and devices which reside on the network.
5) Authorization and Authentication – The final element of a strong defense-in-depth security posture is to ensure that proper authorization and authentication technologies are in place to monitor, manage and administer remote access to the industrial control and SCADA system environment, and this can be accomplished through the use of Access Management security technologies.
What do you see your clients most worried about?
Though there is strong evidence that cyber security threats are being increasingly targeted toward critical infrastructure Process Control/SCADA networks, many of our clients are particularly concerned about the malicious and non-malicious users inside the electronic security perimeter of the SCADA/Process Control network.
Industry analysts estimate that over 70% of malicious and non-malicious incidents or attacks originate inside the firewall or electronic security perimeter of the network. Regardless of whether the intention to cause harm or damage is intentional or not, the consequences of a cyber security incident within a critical infrastructure environment may still be the same.
Most people can imagine what a penetration test looks like or how one audits for software vulnerabilities. How complicated is it to perform a compliance assessment for, let’s say, SCADA systems?
The industrial control environment contains unique systems, applications, protocols and components which can be very different from a traditional IT network. When it comes to enterprise security vs. SCADA security priorities, what’s good for the goose isn’t necessarily good for the gander.
To this point, enterprises most often view confidentiality as their highest priority, followed by integrity and availability. Industrial control and SCADA networks have the opposite view: availability is inherently first priority, followed by integrity and confidentiality.
With the constant evolution of threats, what kind of technology challenges does Industrial Defender face?
Many remote site operations managers, while recognizing the severity of the cyber security issues they face, are left wondering where to begin. According to a 2005 study from UK-based NTA Monitor, over 90 percent of remote access virtual private networks systems have exploitable security vulnerabilities due to a lack of security best practices. Undoubtedly, the need for a secure remote access strategy is inherent in order to effectively support any type of remote access to the Process Control/SCADA network.
Industrial Defender’s technology solutions employ a Defense-in-Depth risk security technology strategy, which uses technology specifically designed to address the challenges of securing remote virtual private networks used within major power, oil & gas, water, chemical and transportation companies.
Moreover, Industrial Defender’s offering includes the efficient assessment, mitigation, and management of cyber security risk. Through our vulnerability assessment services, we’re on the front lines in identifying current and emerging risks to our customer base. With our co-managed services, customers benefit from real-time threat monitoring while also profiting from the flexibility of this approach—they can augment their security staffs without entirely outsourcing the monitoring and managing of the cyber security of their SCADA systems.
These risk findings become invaluable sources of intelligence for Industrial Defender, and are incorporated into our Company’s product strategy, which is designed to address existing vulnerabilities and threats, while simultaneously alerting customers to potential future threats to their networks.