A couple of months ago I was discussing data center security with a panel of IT managers from critical infrastructure providers. One representative from a major energy provider said that he had no intention of segmenting his network. When I asked him how he monitors his network looking for attacks that have breached his perimeter, he told me, “That’s the FBI’s job.”
I wish I could say this was unusual.
Historically, the security strategy of many critical infrastructure companies was to simply not connect them to the public Internet. For years, sometimes decades, they built their internal architectures around that notion. When a user or contractor needed access, it was provided manually. So now, when they are interconnected to a web of users, suppliers, contractors, and peer organizations, implementing a pervasive security strategy is a significant challenge. Instead, what many organizations in this circumstance tend to do is simply keep building a bigger and stronger front door to keep the bad stuff out. Which, of course, is a recipe for disaster.
A number of things need to happen to fix this problem. First, governments need to legislate that critical infrastructure industries need to meet basic security standards. And this legislation needs to have teeth. Fines are often absorbed as the cost of doing business as usual, and often get passed on to consumers. As we have seen with publicly traded companies in the US, however, holding board members and corporate executives personally, financially, and legally liable for failure to implement appropriate security goes a long way towards motivating organizations to overcome whatever inertia is preventing them from properly securing their networks.
Of course, because some of these industries come directly under government control, they will need to be funded. Given the current political climate, this can be challenging. But the last things that any government wants is a nuclear power plant meltdown, or the release of toxic chemicals, or the contamination of water supplies, or energy grids taken offline that can be traced back to a cyberattack.
Next, these organizations need to understand that perimeter security is no guarantee. Even the best firewalls in the world, according to numerous studies, are only about 98% effective. If you have a boat with a hundred holes in the bottom, and you only plug 98 of them, what happens to the boat? The compromise of critical infrastructure networks is a matter of when, not if. And frankly, based on forensic evidence from a number of breaches, I can tell you that the only thing standing between us and disaster has been serendipity.
There are also dozens of sector-based Information Sharing and Analysis Centers (ISACs) that organizations in these industries need to participate in. If the recent cyberattack on the power grid in the Ukraine hadn’t been an isolated incident, but part of a larger cyberterrorism strategy, it would have been essential that other energy providers around the world knew the details of this breach immediately, rather than a piece at a time, ferreted out over weeks and months.
From a functional perspective, a security game plan needs to be developed on a site-by-site basis. The most important first step that any organization in this sort of circumstance can take is to hire security professionals to assess their current state, develop a get-well plan, and prioritize implementation. From a general perspective, this needs to include a number of key security strategies.
The reality is that as we transition to a digital economy, critical infrastructures will become increasingly vulnerable. Expanded attack surfaces, new applications and devices, and the need to dynamically share critical information simply expands exposure to risk. Those industries that are essential to the health and well being of both people and national economies have got to step up and address this challenge. Lives actually depend on it.