WASHINGTON–The topic of critical infrastructure security may be the prettiest girl at the dance right now for both politicians and technology companies, but the problem of attackers going after these targets is one that security people have been dealing with for some time. But that doesn’t mean they have a good handle on it or clear solution for the problem. In fact, there are still a number of old obstacles standing in the way of addressing the issue.
There is no shortage of news about attacks on critical infrastructure systems, be they water facilities, financial systems or electrical grids, and those operations have been going on for years now. But in the last couple of years there has been a change in both the sophistication of those operations and the nature of the attacks. While some attackers in the past may have been interested in stealing some data, now there are groups looking to cause service interruptions or complete shutdowns of key services.
For the teams dedicated to protecting the networks that run critical infrastructure components, the difficulty of responding to these attacks is being compounded by the nature of the threats and the barriers to gathering and sharing key information on emerging threats. An attacker interested in taking down a utility doesn’t need to be a state-sponsored professional or a government agent. He could be anyone from anywhere
“I think our real concern is the third tier, the disassociated hacktivists and terrorists. There’s probably very little reason for a nation state to carry out those attacks unless they’re willing to risk war, because that’s what it would come down to,” said Jim Jaeger, vice president of cybersecurity services at General Dynamics Fidelis Cybersecurity Solutions, speaking on a panel at the Kaspersky Lab Cybersecurity Forum here.
“Criminals aren’t going to carry out infrastructure attacks because they risk the attention of law enforcement. Hacktivists have very little holding them back and a lot to gain. It’s that amorphous third group that as a national security group we have difficulty focusing on. It’s an arena that’s not targetable in our traditional approach.”
While destructive or disruptive attacks on these networks may get all the headlines, cyberespionage attacks have become a major problem, as well, and could turn into a different issue altogether if things change in the political arena.
“I look at the volume of penetrations the Chinese have in our networks and if the geopolitics change and we end up in a conflict with the Chinese it would be seamless for them to use those penetrations to get into databases and control systems that would be horrific in war time,” said Tom Corcoran, senior policy adviser for the House Intelligence Committee, who also participated in the panel discussion. “It’s not hard for me to imagine how this debate would change overnight if something like that happened in our country.”
One of the challenges to improving the security of these critical networks, the panelists said, is the sharing of attack and threat data. Informal and formal information sharing programs have been running for years in th industry, but the nature of the data that companies share is dictated by a number of factors, not the least of which is potential exposure to legal problems of public shaming. That climate needs to change if there is to be truly valuable threat intelligence sharing among critical infrastructure organizations, the panelists said.
“Information sharing is absolutely critical so that the way they broke into one house, they don’t get use that technique again,” said Steve Winterfeld, cyber tech director at TASC. “And today there is no national standard for the things we’re talking about. I believe collaborative standards will come first.”
Asked about the possibility of protecting the systems running utilities and other critical infrastructure components, Eugene Kaspersky, CEO of Kaspersky Lab, said in a later discussion that it can happen, but not easily.
“Unfortunately, we can’t protect critical infrastructure today, and not tomorrow and not next week,” he said. “But can move in that direction. It needs technology, regulation and international cooperation.”