In 2010 security researchers uncovered a complex piece of malware that infiltrated the systems of an Iranian uranium enrichment facility. Once it penetrated the outer wall of the facility—presumably by simply being plugged into a Windows system via a thumb drive—Stuxnet was designed to cause serious damage, targeting the Natanz-based facility's industrial control system. It was programmed with one goal: Disrupt the nuclear enrichment processes by slightly altering conditions at the facility.
The malware, which targeted four Windows zero-day vulnerabilities, was later tied to the United States and Israel. While both countries have neither confirmed nor denied a role in the attack, most experts agree that it represented the first time nation-states are believed to have unleashed a cyberweapon with destructive capabilities.
The attack brought the issue of critical infrastructure protection to a fevered pitch with cyberwarfare and cyberespionage activities frequently making front page headlines. The owners of power generation, water utilities, oil and chemical refineries, and other critical infrastructure facilities must fix vulnerabilities in their systems, assess them for configuration weaknesses and create a more secure posture to guard against a serious attack, according to a group of security experts interviewed recently by Information Security magazine.
But getting systems up to par is a long and difficult road, those experts say. Like many organizations, the owners of critical infrastructure facilities face a widening skills gap. Many facilities lack individuals with the right technical staff to assess security threats and respond to them. Coupled with aging systems long past their prime and a very limited set of administrators that are capable of maintaining them, most facilities are implementing security improvements at a snail's pace.
Information Security Critical Infrastructure Protection Roundtable panelists:
- Matthew Coose, formerly the director of federal network security at the National Cyber Security Division of the U.S. Department of Homeland Security
- Sean Tierney, director of cyber threat intelligence for UBS AG
- Derek Gabbard, CEO of Lookingglass Cyber Solutions Inc. and a former CERT technical staff member at Carnegie Mellon University.
What organizations, both public and private, should be designated critical infrastructure or key resources?
Matthew Coose: There are 18 sectors defined in the National Infrastructure Protection Plan. They include nuclear reactors, water, transportation, health care, emergency services and the like. Food and agriculture obviously are important, too.
In a perfect world, I would have the government organizations involved in critical infrastructure spend the next 18 months to two years proactively sharing as much cybersecurity information as they can with critical infrastructure owners and operators.
Sean Tierney: It's really about interconnectedness. If it happens in cyberspace, it happens somewhere physically, and if it happens somewhere physically, it also happens somewhere in cyberspace. So we need to look at interrelationships, look at our ecosystems, and look at our supply chains, both as an attack vector, but also as an opportunity to mitigate attacks, and reduce that attack surface. When you ask what should we be looking at for critical infrastructure and key resources, we should be looking at all the pieces that come together to form our purely interconnected world.
So this goes beyond just critical infrastructure facilities and their owners, right?
Derek Gabbard: Sure. One of the key mindset changes over the past year or two is a real understanding in both the government and the critical infrastructure providers themselves that the third parties they rely upon have direct impact on their ability to carry out their mission, but they also have a direct impact on their ability to stay secure. So I think that one trend is a method for understanding, tracking and holding accountable the third parties that make up the critical infrastructure provider network. The critical infrastructure providers should start to raise the bar for themselves but also have expectations to raise the bar for their information supply chains, and, in doing so, become significantly more secure and more resilient, both through their efforts and through efforts of the third party. I think the first step is to pick out the right critical infrastructure sectors and providers and then to branch it out and look at the providers and the overall interdependencies in the extended networks for them.
Coose: From where I come from, when we talked about supply chain, it was largely in the context of where you're buying your products and services from. That's certainly a risk factor, and a lot of effort going on there, and there still needs to be focus there in terms of reducing risk. The second supply chain I think Derek is talking about is a little different. The idea that the partner supply chain or your ecosystem supply chain, in terms of supply chain with respect to who you're connected to, is equally as critical. You may have key goods and services from another company, or you're connected to a supplier upstream. That's a vector for someone to go in and exploit your network. I don't think that is talked about enough in the context of supply chain.
We don't do a good job of fixing the known issues, patching and assessing configurations. I think a big part of that is attributable to the lack of skilled technical workers across the different sectors.
Let's talk about the threat landscape. We hear so much about cyberespionage and nation-state attacks. How do you gauge the threat landscape right now and what is the most serious threat?
Gabbard: [Department of Defense] Secretary Leon Panetta said recently that the top unspoken threat is nation-states and nation-state-backed organizations. I think that mimics what a lot of insiders have felt for a long time. While you may get some brilliant hackers that are one-offs and can do significant damage, nation-state actors are the most problematic because there's actually military-style planning and execution that allows them to do more than just one-off attacks. It's a pretty big step down to the next group, organized criminals, and from there it's individuals and terrorist organizations, who aren't as well-funded, and are less disciplined and less coordinated.
Tierney: Derek, when you say “hackers” and “terrorists,” you're talking about the large-scale movements, as opposed to hobbyists?
Tierney: We can't forget the hacktivists. Rather than being economically focused, what we really see is political and ideological motivation for their attacks. And that's a wild card.
Do the owners and operators of critical infrastructure facilities have the skilled staff in place to assess risk and learn who their true adversaries really are?
Tierney: During the past five or six years, organizations have moved away from doing the fundamentals properly in a lot of spaces. In the late 1990s and early 2000s security was a new space, and so you had innovation at all levels. But I think that, economics being what they are today, we tend to operationalize. Now we don't have individuals at the lowest levels with the right skill sets across all critical infrastructure sectors to be able to truly asses the threats and respond to them.
Coose: I would definitely agree with Sean. We don't do a good job of fixing the known issues, patching and assessing configurations. I think a big part of that is attributable to the lack of skilled technical workers across the different sectors. I think that continues to be a major issue that we need to address.
How close are we coming to something catastrophic, such as a takedown of U.S. critical infrastructure? And how serious of an attack would it take to have a major economic impact?
Tierney: I think that there are probably two classes of attacks. There's the truly catastrophic and what's perceived as catastrophic. While I think that the events we saw on 9/11 were emotionally catastrophic, and we lost a number of people—and I would not want my words misconstrued in any sort of way—but if you look at the impact it had on the transportation industry, as well as some other sectors, it wasn't an attack on the transportation industry directly, but it had a catastrophic impact on that industry.
At the same time, if we have either a physical or logical attack against power and water providers, it can result in having to do a lot to protect those industries and protect those sources. In effect, it becomes catastrophic because it can be financially burdensome. I don't have any insight or clairvoyance to be able to tell you how close we are to a direct attack against power or water, but I think a motivated, dedicated attack could do some serious damage.
Gabbard: Some folks I've worked with have done forensics on events and incidents on the power grid and other critical infrastructure systems and they haven't come back with great things to report. That's a lot of infrastructure to upgrade, change and protect against a constantly evolving attack surface; I can't really say that I think we're some number of months away, but I will say whenever it happens, I won't be surprised.
We've been hearing so much about the need for greater information sharing to improve defense. What do you think of the existing efforts to share threat information, such as the national Information Sharing and Analysis Centers, or ISACs. Are they working, or getting better?
We can't forget the hacktivists. Rather than being economically focused, what we really see is political and ideological motivation for their attacks. And that's a wild card.
Coose: I think they're getting better. I'm still not convinced that it's enough. The cycle time involved is figuring out what threat actors are doing, how they're doing it, and getting that into a usable form of information is not short. By the time that information gets out, it's not all that valuable, so I think that some opportunities exist there. But we're not where we want to be yet.
Tierney: There is a lot of information sharing and a lot of it depends on the maturity both of the organization and of the individuals that are exchanging information. And then there is the trust factor. Do you trust people and [are you] going to share openly? Do I trust [that] the person that's sharing with me got it right? They may be sharing with the best intentions, but how do I know that the data they're giving me is something I truly need to act upon? I believe that if you have the right people in the right places, they will make that information actionable and probably learn a few things along the way. I'll also add that I find it amusing when I see articles and we have people in the government calling for regulation, calling for legislation, and it makes it sound like those of us in the industry aren't talking to each other and really don't know what we're talking about. And I don't believe that that's the case. We want to have legislation that protects us from sharing this stuff. I think that would be the thing I would hope for most from legislation. It would be nice to know that I can't be prosecuted if I was attempting to do the right thing.
Let's talk about Stuxnet, Flameand some related attacks. Does this offensive, strike-first approach lead to a deterrence effect, or does this have a negative impact on cybersecurity for critical infrastructure?
Gabbard: I think that there's a certain upside for a nation-state to flex some muscle and start to have the discussion around cyberwar deterrence. And I think you can't have a deterrence discussion until you set off your "test nuke" and show what you can do. And I think Stuxnet and Flame, if they were in fact actually created by the nation-states mentioned, it sends a message that there are capabilities that haven't been seen yet, and they're not afraid to use them. But it doesn't work with terrorist organizations. It only works when there's a rational state player on the other side.
In the short term, is there anything that can be changed or done to strengthen the cybersecurity posture of critical infrastructure?
Coose:I think going back and starting with the basics and fixing known issues is step one. Thinking more broadly, it's more about creating the economic incentives for more action to be taken. I think that starts with discussion, familiarizing different constituencies with the risks to individuals, customers, partners and businesses.
If you had infinite capabilities and finances, what would you do to protect critical infrastructure? Would there be some sort of law, recommendation, partnership or anything that could have an impact on critical infrastructure protection?
Tierney: It would be nice to have something akin to a national critical infrastructure cybersecurity data clearinghouse, as well as creating something like a joint forces training command for the private sector.
Gabbard: In a perfect world, I would have the government organizations involved in critical infrastructure spend the next 18 months to two years proactively sharing as much cybersecurity information as they can with critical infrastructure owners and operators, establishing their credibility, creating a reliance and demand for the information that they share. A regulation, law or executive order that does anything other than instruct the government to deliver viable, actionable information is probably ill-fated and will end up failing.
Special thanks to contributing editor Ernie Hayden for participating in this roundtable discussion.