|
Cyber Risk and U.S. Critical Infrastructure
Introduction
Cyber threats are becoming more frequent with weekly headlines identifying breaches in computer systems. To obtain a sense a major cyber attack would have on the U.S. critical infrastructure, use the impact Superstorm Sandy had on the Northeast in late 2012 as an example. Water, power, gas, communications and transportation were out for weeks. It will take months, even years to recover from this event. The Federal Government estimates losses of that storm at approximately $45 billion but the governors of Connecticut, New Jersey and New York estimate losses at $82 billion.
Cyber Threats
U.S. Homeland Security Secretary Janet Napolitano warned that a "cyber 9/11" could happen "imminently". Defense Secretary Leon Panetta warned that the United States was facing the possibility of a "cyber-Pearl Harbor" and increasingly vulnerable to foreign computer hackers who could dismantle the nation's power grid, transportation system, financial networks and government. The Pentagon is increasing its cyber security force fivefold over the next several years to increase the nation’s ability to defend critical computer systems and conduct offensive computer operations against foreign adversaries. Cyber threats are and will continue to be a serious risk.
Infrastructure Vulnerabilities
Until recently, cyber security has been viewed as secondary to physical security and has received little attention. However, a recent survey of 600 executives and technology managers from infrastructure operators in 14 countries found that 54 percent (54%) said they had suffered an "attack" of their networks. Hackers had installed malicious software that could steal data, spy on e-mails or conduct even more nefarious actions such as - remotely controlling equipment and manipulating vital systems causing significant consequences, such as power outages, floods, sewage spills and chemical leaks.
A Southern California water system tested the effectiveness of its cyber defenses by hiring a cyber-security team to try to hack its network – a test called “penetration testing.” To the dismay of the company, in one day the team was able to seize control of the computers that adds chemicals to the drinking water of Los Angeles. If they had been real attackers, they could have rendered the water poisonous, likely killing many people and causing a major disaster. In another situation, officials with the federal government said spies had hacked into the U.S. electric grid and left behind programs that would let the perpetrators disrupt power service at a later date.
Unknown Breaches
Many companies have no idea their systems have been compromised. FBI agents investigating cyber crimes inform companies routinely that their systems had been breached for months with data stolen. A government commission evaluating computer intrusions traced back to the companies - 94% never knew their systems had been breached until someone told them. The average number of days between the start of an intrusion and when it is detection: 416 days.
According to a research group, nearly three-quarters of federal IT decision-makers who work in US defense and security departments or agencies say the possibility is ‘high’ for a cyber attack by a foreign nation. Additionally, one third (1/3) of these respondents say they have already experienced such a cyber attack within the last year (2012). Forty two percent (42%) believe the US government’s ability to prevent or handle these attacks is fair or poor, and 64 percent identified the increasing sophistication and growth of cyber attacks as the number one IT security risk. Forty nine percent (49%) believe that negligent or malicious insiders/employees is the largest IT security risk.
Super Computer Worm
“Stuxnet” the computer worm, and arguably the first and only cyber super weapon ever deployed continues to concern security experts in the U.S. and around the world after its existence was made public in 2010. Apparently meant to damage centrifuges at a uranium enrichment facility in Iran, Stuxnet now illustrates the potential complexities and dangers of a cyber war.
Individuals who worry about the security of critical U.S. facilities, Stuxnet represented a major risk - a dangerous computer worm in a modified form could attack a power grid, telecommunications system, oil refinery, water or chemical facility in the United States. A former chief security officer stated that “Stuxnet taught the world what is possible – it provides a blueprint for possible cyber attacks."
A significant concern relates to the industrial control systems (ICS) that oversee the operation of key equipment at critical infrastructure facilities - from the operation of valves to the opening and closing of circuit breaker. By hacking into the computer networks behind the ICS, an adversary could reprogram the ICS with commands to operate at unsafe speeds, or have valves open when they should remain closed. This is roughly the way Stuxnet was able to damage the centrifuges in Iran. The Stuxnet worm found its way into the secure area via portable USB drive. However attacks are now becoming more sophisticated and finding new ways into networks.
Risk Management Strategy
The first step would be identifying the potential threats, vulnerabilities and impacts cyber attacks could pose. With this information, risk management strategies can be developed.
Threats: It is safe to say cyber attacks are here to stay and are expected to increase across all sectors of the digitally connected world. For example, as the power grids, water systems, telecommunications, etc., become more interconnected with other domains, the greater the risk and exposure for attacks at large scale.
Vulnerability: Physical security threats are still a vulnerability to critical infrastructure facilities. Risks should be identified and additional protective measures implemented as needed.
With that said, cyber threats no longer need to bypass physical security protections to gain access. Highly networked systems provide new pathways for hackers to reach critical operational systems. Vulnerability is no longer specific to locations and equipment used by the utility - attacks can be launched from anywhere in the world with an Internet connection.
Impact: Given the fact that our critical infrastructure provides services for survival as well as support for modern society and businesses- utilities need to focus on the reliability of their operations and implement protections to mitigate the impact. The impact from a cyber security threat, on any critical infrastructure system would be quite high. The impact increases exponentially as system operations become more computer controlled, and interconnected.
Cyber Security Design
To be effective, physical security measures, including cyber security protections should be considered early in the planning and design stages. Too often security is left out of the early stages that only increases project cost as well leaving the company vulnerable to attacks. In many cases, security professionals are only brought in to “harden” a system after a project is complete or a security measure or system proves to be vulnerable. This after-the-fact reaction leaves a company or facility at risk to security and cyber-threats.
Risk managers need to take a broader look at how they can manage risks associated with cyber attacks from a corporate, performance, safety, and financial as well reputation standpoint. Involving design professionals, information technology (IT) and security professionals early in the planning and design stage is essential. As a group, a greater understanding of cyber risks, and awareness of information security measures can be applied in developing effective cyber risk solutions.
Best Practice Considerations:
- In the planning and design stages, work with industry professionals identifying current and future risks including physical security and cyber threats.
- Identify recognized network security and preventive technology that are available for the type of facility and operations.
- Ensure company leaders are well informed of the cyber risks and obtain the commitment needed to implement needed security measures.
- Set and maintain cyber and physical security standards, policies and best practices.
- Implement business and technical controls and ensure they are tested, maintained and upgraded as needed.
- Train personnel and monitor the performance of cyber policies and best practices. An employee not following the companies best practices and protocol, and clicks on a phishing email can nullify even the most carefully developed and implemented cyber security plan.
- Consider cyber risk insurance. The insurance market is developing coverage’s to help limit the bottom-line impact.
Conclusion
Cyber risk is an enormous problem and growing rapidly based as our critical infrastructure and business operations becoming increasingly interconnected and dependent on software and Internet computer systems. Attacks on critical infrastructure, such as telecommunications, electrical power, water supply and transportation, could result in the loss of lives and in billions of dollars in business and operational losses. Cyber threats are and will continue to be a serious risk.
You are welcome to forward this newsletter to others who may be interested.
Thank you.
|
artRisk