April 2011 - Control Global

S e c u r i t y S p o t l i g h t
the public. These people have detailed intimate knowledge of
the company’s systems and processes, and they will often know
exactly how to cause the most damage to operations. They can
build on this knowledge and determine how to best mitigate
the attack vectors that they developed.
The second perspective is from a traditional vulnerability assessment/evaluation
arena. Critical infrastructure companies
need to examine their systems looking for vulnerabilities; determine
the consequences/impacts to the company’s operations
of a successful exploitation of the vulnerability; determine the
capabilities that are necessary to successfully exploit the vulnerability
and cause the identified consequences; determine
whether the capabilities needed to successfully exploit the vulnerability
currently exist, and whether these capabilities are
easy to use; and finally, tdetermine how to mitigate the vulnerability
identified and to minimize the impact of a successful
exploitation. The company should also answer all of these questions
for the scenarios developed by its internal tiger team.
Now the company can prioritize what it fixes by working
through the results of the above analysis. Vulnerabilities with
high/major impacts, where the capabilities to successfully exploit
currently exist and are easy to use, should be fixed first.
The overall goal is to improve the security of the system, and
the above methodology only uses the vulnerabilities and consequences—information
that is most likely known—rather than
needing threat information which is typically unknown. (This
is information that is definitely unknown at the tactical level
and often considered not detailed enough at the strategic level.)
Learning from Accidents
One other area where critical infrastructure companies can
gather information they can use to convince senior executives
to authorize the implementation of cybersecurity defenses
is to examine real-world industrial incidents/accidents,
and see if they can extrapolate a purely cyber scenario
that results in the same consequences. For instance, most
industrial accidents involve three legs, including a physical
issue/problem,some form of human error, and a cyber issue,
such as a cyber system not running, cyber system running,
but on incorrect data, or a malicious cyber attack, which are
currently rare.
For some industrial accidents, it is quite simple to extrapolate
to a purely cyber vector to cause the same consequences
as the original accident. However, this is normally done by
considering two main assumptions. The first is that an electronic
pathway exists from the targeted control system to the
outside world. A disgruntled insider needs to be considered
as well. The second assumption is that this electronic pathway
is exploitable, and the likelihood of this is very high. You
could simply assume a supply chain issue that allowed the
adversary to implant his malicious access at an earlier stage.
I believe that by undertaking the above three efforts,
“Threat” vs. “Tactical” InFORMation
The industry uses the general term “threat information.”
However, during more detailed discussions, it seems the
information companies want is more in line with the traditional
military concept of “tactical information”; for example,
individual “Able” from bad guy group “Baker” is planning
on attacking critical infrastructure “Charlie,” specifically
company “Delta,” on Friday at 1500 EST using technique
“Echo.” The government has been providing strategic
threat information for several years. But companies don’t
need such specific information to prepare for threats.
any critical infrastructure company will have developed/
acquired enough information to convince its senior executives
that cybersecurity defenses must be implemented to
ensure that the company can continue to carry out its mission
safely, reliably and securely without needing tactical cyber
threat information from the government before they are
persuaded to act to adequately secure their control systems.
There is one arena where tactical actionable cyber threat
information of a potential attack is needed prior to making
decisions to implement basic cyber defense mechanisms.
Mechanisms must be developed and deployed that allow information
to be shared when an attack is occurring, which
will allow companies not under attack to ramp up their defenses
to prevent the current attack from succeeding. This
assumes, however, that the companies have already implemented
cybersecurity defense measures and have developed
the plans and procedures to rapidly increase their cybersecurity
defense posture.
The Bottom Line
Critical infrastructure companies should not depend on
tactical cyber-threat information to deploy cybersecurity
defense. Instead, they should consider that the cyber threat
is “1,” and focus on understanding their vulnerabilities and
the consequences of a successful exploitation of them. Waiting
for tactical cyber-threat information could delay critical
them from examining their systems from a mission perspective
and implementing appropriate defenses. The discussions
concerning tactical cyber threats and the resulting expectations
(and need for clearances for industry personnel)
are primarily a distraction, and are being used to justify a
lack of action for implementing cyber defenses. The government
and the critical infrastructures need to get past this
self-imposed roadblock.
Michael Peters is an energy infrastructure and cybersecurit y advisor for the
Federal Energy Regulator y Commission’s Of fice of Electric Reliabilit y. He
specializes in analyzing cybersecurit y issues, including those af fecting control
systems. This ar ticle is personal opinion and does not represent the opinion or
position of the Federal Energy Regulator y Commission or the federal government.
16 www.controlglobal.com A p r i l / 2 0 1 1