April 2011 - Control Global
April 2011 - Control Global
April 2011 - Control Global
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
S e c u r i t y S p o t l i g h t<br />
the public. These people have detailed intimate knowledge of<br />
the company’s systems and processes, and they will often know<br />
exactly how to cause the most damage to operations. They can<br />
build on this knowledge and determine how to best mitigate<br />
the attack vectors that they developed.<br />
The second perspective is from a traditional vulnerability assessment/evaluation<br />
arena. Critical infrastructure companies<br />
need to examine their systems looking for vulnerabilities; determine<br />
the consequences/impacts to the company’s operations<br />
of a successful exploitation of the vulnerability; determine the<br />
capabilities that are necessary to successfully exploit the vulnerability<br />
and cause the identified consequences; determine<br />
whether the capabilities needed to successfully exploit the vulnerability<br />
currently exist, and whether these capabilities are<br />
easy to use; and finally, tdetermine how to mitigate the vulnerability<br />
identified and to minimize the impact of a successful<br />
exploitation. The company should also answer all of these questions<br />
for the scenarios developed by its internal tiger team.<br />
Now the company can prioritize what it fixes by working<br />
through the results of the above analysis. Vulnerabilities with<br />
high/major impacts, where the capabilities to successfully exploit<br />
currently exist and are easy to use, should be fixed first.<br />
The overall goal is to improve the security of the system, and<br />
the above methodology only uses the vulnerabilities and consequences—information<br />
that is most likely known—rather than<br />
needing threat information which is typically unknown. (This<br />
is information that is definitely unknown at the tactical level<br />
and often considered not detailed enough at the strategic level.)<br />
Learning from Accidents<br />
One other area where critical infrastructure companies can<br />
gather information they can use to convince senior executives<br />
to authorize the implementation of cybersecurity defenses<br />
is to examine real-world industrial incidents/accidents,<br />
and see if they can extrapolate a purely cyber scenario<br />
that results in the same consequences. For instance, most<br />
industrial accidents involve three legs, including a physical<br />
issue/problem,some form of human error, and a cyber issue,<br />
such as a cyber system not running, cyber system running,<br />
but on incorrect data, or a malicious cyber attack, which are<br />
currently rare.<br />
For some industrial accidents, it is quite simple to extrapolate<br />
to a purely cyber vector to cause the same consequences<br />
as the original accident. However, this is normally done by<br />
considering two main assumptions. The first is that an electronic<br />
pathway exists from the targeted control system to the<br />
outside world. A disgruntled insider needs to be considered<br />
as well. The second assumption is that this electronic pathway<br />
is exploitable, and the likelihood of this is very high. You<br />
could simply assume a supply chain issue that allowed the<br />
adversary to implant his malicious access at an earlier stage.<br />
I believe that by undertaking the above three efforts,<br />
“Threat” vs. “Tactical” InFORMation<br />
The industry uses the general term “threat information.”<br />
However, during more detailed discussions, it seems the<br />
information companies want is more in line with the traditional<br />
military concept of “tactical information”; for example,<br />
individual “Able” from bad guy group “Baker” is planning<br />
on attacking critical infrastructure “Charlie,” specifically<br />
company “Delta,” on Friday at 1500 EST using technique<br />
“Echo.” The government has been providing strategic<br />
threat information for several years. But companies don’t<br />
need such specific information to prepare for threats.<br />
any critical infrastructure company will have developed/<br />
acquired enough information to convince its senior executives<br />
that cybersecurity defenses must be implemented to<br />
ensure that the company can continue to carry out its mission<br />
safely, reliably and securely without needing tactical cyber<br />
threat information from the government before they are<br />
persuaded to act to adequately secure their control systems.<br />
There is one arena where tactical actionable cyber threat<br />
information of a potential attack is needed prior to making<br />
decisions to implement basic cyber defense mechanisms.<br />
Mechanisms must be developed and deployed that allow information<br />
to be shared when an attack is occurring, which<br />
will allow companies not under attack to ramp up their defenses<br />
to prevent the current attack from succeeding. This<br />
assumes, however, that the companies have already implemented<br />
cybersecurity defense measures and have developed<br />
the plans and procedures to rapidly increase their cybersecurity<br />
defense posture.<br />
The Bottom Line<br />
Critical infrastructure companies should not depend on<br />
tactical cyber-threat information to deploy cybersecurity<br />
defense. Instead, they should consider that the cyber threat<br />
is “1,” and focus on understanding their vulnerabilities and<br />
the consequences of a successful exploitation of them. Waiting<br />
for tactical cyber-threat information could delay critical<br />
them from examining their systems from a mission perspective<br />
and implementing appropriate defenses. The discussions<br />
concerning tactical cyber threats and the resulting expectations<br />
(and need for clearances for industry personnel)<br />
are primarily a distraction, and are being used to justify a<br />
lack of action for implementing cyber defenses. The government<br />
and the critical infrastructures need to get past this<br />
self-imposed roadblock.<br />
Michael Peters is an energy infrastructure and cybersecurit y advisor for the<br />
Federal Energy Regulator y Commission’s Of fice of Electric Reliabilit y. He<br />
specializes in analyzing cybersecurit y issues, including those af fecting control<br />
systems. This ar ticle is personal opinion and does not represent the opinion or<br />
position of the Federal Energy Regulator y Commission or the federal government.<br />
16 www.controlglobal.com A p r i l / 2 0 1 1