By Gregory Hale
If anyone thought fear, uncertainty and doubt (FUD) as an approach to cybersecurity ended a long time ago, then view the latest report coming out of Washington saying there is a narrow and fleeting window to prepare for and prevent “a 9/11-level cyber-attack” against the U.S. critical infrastructure.
That FUD induced comment came from a report the Presidential National Infrastructure Advisory Council (NIAC) just released entitled, “Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure.”
Schneider, Claroty Team to Boost Network Visibility
Black Hat: ICS Security Movement
Black Hat: Hacking a Wind Farm
Black Hat: AI as an Attack Method
Black Hat: Security Needs to Change
The catch is that “narrow window” has been around for 10 years.
Cybersecurity awareness in the manufacturing automation sector has never been higher. But now is not the time to run around in fear, but rather, have a smart, intelligent approach and create a plan to protect sophisticated processes from every manufacturer in every industry.
“We find ourselves in a pre-9/11-level cyber moment, with a narrow and fleeting window of opportunity to coordinate our resources effectively,” the report said. “Our recommendations call on the Administration to use this moment of foresight to take bold, decisive actions — requiring the Federal Government to apply its collective authorities and capabilities in concert with the private sector.”
In an industry that started years ago and maintained its security program under the FUD mantra, this report just continues along those very lines.
Today’s security programs have slogged out of the mire and muck of FUD and have started to think of security as a holistic overview of how to create a layered approached to protecting the manufacturing enterprise – and not reacting to the latest attack.
“Two fundamentals that drive me nuts is we don’t have the mechanisms right now to share information effectively across the board,” said Jason Haward-Grau, CISO at PAS. “People don’t want to talk about a cyberattack. It is not something that is going to go away. The problem is unless you see a smoking hole in the ground, which is what we don’t want to see, people don’t understand it.
“The challenge we also have is the assumption: Don’t worry guys, just do your network piece and continue to do your deep packet inspection technology and you will be fine. No. You need proper layers of defense. DPI is important and is a factor, but you need a good solid plan to cover all of it. DPI doesn’t really cover what happens at level 0 and level 1 and we know from Stuxnet that is where the changes happened. They didn’t happen on the IT side of things. Actually, there is no guarantee you will detect (an attack), because if it is legitimately done and it is a legitimate change, managed by an individual, you don’t address the user credential monitoring the issue at all. You just know something is happening.”
Chess Game of Security
The idea of crying wolf and being reactionary, just works in the favor of attackers who are planning out every move and able to create diversions to establish a beachhead at a different location in the system where they can attack.
“We have indicators, but we have very few facts,” Haward-Grau said.
That all comes down to understanding and having information. It is difficult to make decisions based on a few facts, why not have all the details on the table before making any kind of moves.
“More organizations have to work together to actually share information,” Haward-Grau said. “There are some interesting groups out there like the CISO 50 and the CISO 100 who are talking in closed cupboards about this stuff. There is an oil and gas threat sharing organization that sits between the top five oil and gas companies and they share very useful threat information about what kinds of attacks they are getting. If you take the threat information coming out of security operations teams in those organizations, you wouldn’t think the threat is overblown. The problem is we have very little data points to go on unless you are in the industry.”
“If you take the threat information coming out of security operations teams in those organizations, you wouldn’t think the threat is overblown. The problem is we have very little data points to go on unless you are in the industry.”
— Jason Haward-Grau
Along those lines, suppliers, he said, are still in reactive mode.
“Organized crime is brilliantly quick,” Haward-Grau said. “We as organizations are not equipped to think like our adversaries.”
Firm Grasp of Obvious
One of the things the NIAC shows in their report is they have an incredibly firm grasp of the obvious. They talk about the same old issues and when they talked to people it was mainly government officials and very few industry experts.
The purpose of NIAC is to advise the President on the cybersecurity of critical services, such as banking, finance, energy and transportation. The Council was created in 2001 by President Bush’s executive order 13231, and its functioning was extended until September 2017 by President Obama’s 2015 executive order 13708. The council can consist of up to 30 members chosen by the President.
The new report makes 11 recommendations:
1. Establish separate, secure communications networks specifically designated for the most critical cyber networks, including “dark fiber” networks for critical control system traffic and reserved spectrum for backup communications during emergencies.
2. Facilitate a private-sector-led pilot of machine-to-machine information sharing technologies led by the electricity and financial services sectors, to test public-private and company-to-company information sharing of cyber threats at network speed.
3. Identify best-in-class scanning tools and assessment practices and work with owners and operators of the most critical networks to scan and sanitize their systems on a voluntary basis.
4. Strengthen the capabilities of today’s cyber workforce by sponsoring a public-private expert exchange program.
5. Establish a set of limited time, outcome-based market incentives that encourage owners and operators to upgrade cyber infrastructure, invest in state-of-the-art technologies, and meet industry standards or best practices.
6. Streamline and significantly expedite the security clearance process for owners of the nation’s most critical cyber assets, and expedite the siting, availability, and access of sensitive compartmented information facilities (SCIFs) to ensure cleared owners and operators can access secure facilities within one hour of a major threat or incident.
7. Establish clear protocols to rapidly declassify cyber threat information and proactively share it with owners and operators of critical infrastructure, whose actions may provide the nation’s front line of defense against major cyberattacks.
8. Pilot an operational task force of experts in government and the electricity, finance and communications industries led by the executives who can direct priorities and marshal resources — to take decisive action on the nation’s top cyber needs with the speed and agility required by escalating cyber threats.
9. Use the national level Gridex IV Exercise to test the detailed execution of Federal authorities and capabilities during a cyber incident, and identify and assign agency-specific recommendations to coordinate and clarify the Federal Government’s unclear response actions.
10. Establish an optimum cybersecurity governance approach to direct and coordinate the cyber defense of the nation, aligning resources and marshaling expertise from across Federal agencies.
11. Task the National Security Advisor to review the recommendations included in this report and within six months convene a meeting of senior government officials to address barriers to implementation and identify immediate next steps to move forward.
The recommendations are fine. But anyone could have made the same recommendations years ago. The industry today needs to get more innovative and adopt technology, processes and training programs for users to stay ahead of attackers sneaking in through the back door.
The manufacturing automation sector is slow to change – and considering what they are working with, it only makes sense. The problem is, security is not slow, it is lightning quick. Those two mindsets often do not work hand-in-hand, as a matter of fact they conflict.
Once those two mindsets converge, everyone will be able to close and lock the “narrow window” of security and work toward a more progressive manufacturing automation environment.
Gregory Hale is the Editor and Founder of Industrial Safety and Security Source (ISSSource.com).