8 October 2009

U.S. digital infrastructure a strategic asset

By Nicholas Sheble

“It’s imperative for the holders of our, the United States,’ critical infrastructure to make the necessary investment to protect those resources,” said Greg Garcia.

Garcia was a featured speaker Wednesday at ISA EXPO. He is president of Garcia Strategies and formerly the nation’s first presidentially-appointed assistant secretary for Cyber Security and Communications (CS&C) for the Department of Homeland Security.

One critical resource Garcia feels is important is the energy sector and its controls systems are vulnerable to cyber attack. He points to the roadmap that the U.S. Department of Energy built for the sector.

The roadmap outlines a strategic framework featuring four main goals that represent the essential pillars of an effective protective strategy:

Measure and Assess Security Posture: Companies should thoroughly understand their current security posture to determine system vulnerabilities and the actions required to address them.

Within seven years, the sector will help ensure energy asset owners have the ability and commitment to perform fully automated security state monitoring of their control system networks with real-time remediation capability.

Develop and Integrate Protective Measures: As security risks are identified, protective measures should be developed and applied to reduce system risks.

Security solutions will develop for legacy systems, but options will be constrained by the limitations of existing equipment and configurations. Within seven years, next-generation control system components and architectures that offer built-in, end-to-end security will replace many older legacy systems.

Detect Intrusion and Implement Response Strategies: Because few systems can be impervious to cyber attacks all the time, companies should possess sophisticated intrusion detection systems and a sound response strategy.
Within seven years, the energy sector will operate control system networks that automatically provide contingency and remedial actions in response to attempted intrusions into the control systems.

Sustain Security Improvements: Maintaining aggressive and proactive control system security over the long term will require a strong and enduring commitment of resources, clear incentives, and close collaboration among stakeholders.

Over the next seven years, energy asset owners and operators are committed to working collaboratively with government and sector stakeholders to accelerate security advances.

“This is the security lifecyle,” Garcia said. “But it’s like that shampoo commercial, ‘wash, rinse, and repeat.’ ”

The intent of this roadmap is to provide a strategic framework for investment and action in industry and government. It outlines specific milestones that must transpire over the next seven years and identifies the challenges and activities that we need to address.

While the roadmap contains many actionable items, it is not a prescription. However, plans are only useful if they translate into productive projects, activities, and products.

Execution will require financial resources, intellectual capability, commitment, and leadership.

Garcia’s contention, and what seems to be the way the government is proceeding, is government can point the way they want industry to head on cyber security. The government can and should push industry in that direction.

“The result may cost more, or the solution may not be as good,” Garcia added.

“What should you do?” queried the crowd.

1. Invest in vulnerability assessments for your plant, facility, or operation.
2. Provide intelligence to the government about cyber breaches of security at your plant. Everybody keeps this stuff secret. It is bad for the company’s stock price or some such jive.
3. Join ISAC (https://www.it-isac.org/aboutitisac.php). Develop a relationship with US-CERT (http://www.us-cert.gov/aboutus.html). The Information Technology Information Sharing and Analysis Center is a trusted community of security specialists identifying threats and vulnerabilities to the infrastructure, and sharing best practices on how to quickly and properly address them.
4. Finally, train your people. Ninety percent of breaches of security still come from people on your staff, for example using stupid password creation techniques.