SAN FRANCISCO–The problem of critical infrastructure security has become a key issue in the last few years, as high-profile attacks such as Stuxnet and others have grabbed headlines and alerted politicians and others to the weaknesses facing these vital systems. It’s an issue that Eugene Kaspersky has been thinking about for a long time, and isn’t sure that the organizations running these systems are any closer to addressing these threats than they were several years ago.
As with many other things in technology, there’s a lot of disagreement in the industry about critical infrastructure and SCADA security issues, even over what exactly qualifies as critical infrastructure. The term often is applied to the systems that run things such as utilities, power grids, transportation systems and the like, and the networks and systems they control typically use arcane software. Many of those software packages haven’t been subjected to the kind of security testing an scrutiny that typical commercial software has, and the process of patching and updating them is difficult and laborious.
The fragile nature of these systems has raised the concerns of security researchers, policymakers and others, and led to calls for regulation and standardization for security. What’s unclear in all of this is who or what entity should be involved in the creation of any standards. Should it be an international effort? Who should lead it?
Kaspersky, the CEO of Kaspersky Lab, said during an interview at the company’s Cyber Security Summit here, that he has little faith in any international push to develop such standards.
“The older I am, the less and less I believe in international projects. Let the nations do it themselves, and they can be an example for the rest of the world. I think the United States will be first and then the rest of the world can copy and paste.”
A big issue in the SCADA and critical infrastructure security world when it comes to regulation and standards is that in most countries, the government doesn’t own any of these systems; they’re all in the hands of private companies. Tom Ridge, the former secretary of the Department of Homeland Security and former governor of Pennsylvania, said during a keynote at the summit Tuesday that, at least in the United States, that presents a major obstacle.
“The government has no critical infrastructure of its own. It relies on the private sector for that, and when it goes down, the government goes down,” Ridge said. “National security and economic security are intertwined.”
The critical infrastructure networks in the U.S. are prime targets for attackers, as is the case in other countries, but Kaspersky said the U.S. likely is at the top of the target list for skilled attackers.
“It’s very difficult to compare who is better protected. The U.S. is the most developed IT country in the world,” he said. “It has many more SCADA systems than any other country, so the U.S. is the biggest target. But it also has the most resources. So which nation is better protected, the one with all of the systems and resources or the one with fewer systems and is a smaller target?”
The bad news is that attackers likely won’t discriminate. Attackers take what they can get, usually regardless of geographic location or ownership. But Kaspersky said he has confidence that the market ultimately will provide an answer to the problem of critical infrastructure security.
“If you have many competing companies there’s much more chance that one of these will come up with something innovative. I vote for competition. I believe in a world that has independent and competing businesses,” he said. “There’s a much better chance that the right answer will be found much faster.”