Don’t Let the Lights Go Out on Critical Infrastructure Security
As cyberattack prevention becomes an increasingly critical focus of homeland security efforts, industry observers are taking a closer look at the readiness of the nation’s critical infrastructure. Some believe there is reason to worry. Researchers recently revealed that many industrial systems, including some used in public utilities, come with default passwords that are readily available and could be used by hackers to gain remote root access and disrupt services or cause damage. Just last December, at least three of Ukraine’s energy providers suffered cyber attacks that took them offline for about six hours – the first time that a power outage has been directly tied to cybercrime.
On Wednesday, February 3, The Energy Times presented a webcast on this topic, sponsored by Cisco. I was privileged to join a panel of speakers representing the key utility and government leaders responsible for protecting the grid and the American public in a discussion on security challenges in the energy industry and what can be done to further enhance the security of our nation’s power grid.
Some recent publications have narrowly focused only on preparedness for an extended operational failure of critical infrastructure – such as the energy grid – rather than taking a holistic approach to resiliency. But every process needs to be secure – from design, development, implementation and maintenance to end of life. At Cisco, we view value chain security risk from two perspectives. First, we focus on the role of information and communication technology in cyber risk itself. Second, we also focus on the full end-to-end spectrum of the ICT value chain. Accordingly, we’ve developed a framework to build security and trust into the complete value chain.
Creating a firm foundation
The first step in ensuring infrastructure security is to identify the threats. Some of the threats and exposures Cisco has identified include counterfeit, manipulation, espionage and disruption. Organizations and agencies involved with critical infrastructure should keep this in mind as they address comprehensive cybersecurity throughout the industry’s value chain.
Next, we have determined a number of foundational elements that can form a path to comprehensive security:
- Embracing the goal of retaining a supplier’s flexibility to deploy the right security in the right node of its own value chain at the right time.
- Deploying the right security in the right node at the right time in a risk-based manner to ensure economic and operational viability.
- Avoiding new, albeit well intended, standards, certification or accreditation schemes or guidelines. Leveraging those already in place should allow swifter implementation and broader adoption. These include standards in the NERC CIP today, and international standards such as ISO 27001, ISO 20243, the NIST cybersecurity framework and ISO 15408 (the Common Criteria).
- Confidentially weighing the existence and robustness of a supplier’s own value chain security and resiliency programs as part of procurement decisions should serve to move the needle more swiftly while still allowing for the proprietary innovation that suppliers bring to the table.
Core architecture domains
The third step is to build a flexible security architecture that can be shared and serve as a differentiator across the entire value chain. We suggest identifying core domains within the architecture. For us, those domains include security governance, security in manufacturing and operations and third tier partner security, among others. For a complete list, I encourage you to visit a recent NIST case study that goes deeper into these leading Cisco practices.
Leveraging a flexible security architecture can allow all value chain members to collaborate. The use of existing industry taxonomy, a clear architecture and procurement-based validation methods will ensure enhanced risk management while permitting the flexibility and innovation essential to infrastructure security success.