Three years ago, when electric grid operators were starting to talk about the need to protect critical infrastructure from cyber attacks, few utilities had even hired a chief information security officer.
Then came Stuxnet.
[ Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
In 2010, that malware, widely reported to have been created by the U.S. and Israel, reportedly destroyed 1,000 centrifuges that Iran was using to enrich uranium after taking over the computerized systems that operated the centrifuges.
Gen. Michael Hayden, principal at security consultancy The Chertoff Group, was director of the National Security Agency, and then the CIA, during the years leading up to the event. "I have to be careful about this," he says, "but in a time of peace, someone deployed a cyber weapon to destroy what another nation would describe as its critical infrastructure." In taking this step, the perpetrator not only demonstrated that control systems are vulnerable, but also legitimized this kind of activity by a nation-state, he says.
The attack rattled the industry. "Stuxnet was a game-changer because it opened people's eyes to the fact that a cyber event can actually result in physical damage," says Mark Weatherford, deputy undersecretary for cyber security in the National Protection Programs Directorate at the U.S. Department of Homeland Security.
In another development that raised awareness of the threat of cyber war, the U.S. government in October accused Iran of launching distributed denial-of-service (DDoS) attacks against U.S. financial institutions. In a speech intended to build support for stalled legislation known as the Cybersecurity Act that would enable greater information sharing and improved cyber security standards, Defense Secretary Leon Panetta warned that the nation faced the possibility of a "cyber Pearl Harbor" unless action was taken to better protect critical infrastructure.
"Awareness of the problem has been the biggest change" since the release of Stuxnet, says Tim Roxey, chief cyber security officer for the North American Electric Reliability Corp. (NERC), a trade group serving electrical grid operators. He noted that job titles such as CISO and cyber security officer are much more common than they once were, new cyber security standards are now under development, and there's a greater emphasis on information sharing, both within the industry and with the DHS through sector-specific Information Sharing and Analysis Centers. (Read our timeline of critical infrastructure attacks over the years.)
On the other hand, cyber security is still not among the top five reliability concerns for most utilities, according to John Pescatore, an analyst at Gartner. Says Roxey: "It's clearly in the top 10." But then, so is vegetation management.
Compounding the challenge is the fact that regulated utilities tend to have tight budgets. That's a big problem, says Paul Kurtz, managing director of international practice at security engineering company cyber Point International and former senior director for critical infrastructure protection at the White House's Homeland Security Council. "We're not offering cost-effective, measurable solutions," he says. "How do you do this without hemorrhaging cash?"
Most experts agree that critical infrastructure providers have a long way to go. Melissa Hathaway, president of Hathaway Global Strategies, was the Obama administration's acting senior director for cyber space in 2009. That year, she issued a cyber space Policy Review report that included recommendations for better protecting critical infrastructure, but there hasn't been much movement toward implementing those recommendations, she says. A draft National cyber Incident Response plan has been published, but a national-level exercise, conducted in June, showed that the plan was insufficient to protect critical infrastructure.
"A lot of critical infrastructure is not even protected from basic hacking. I don't think the industry has done enough to address the risk, and they're looking for the government to somehow offset their costs," Hathaway says. There is, however, a broad recognition that critical infrastructure is vulnerable and that something needs to be done about it.
The Department of Defense has a direct stake in the security of the country's critical infrastructure because the military depends on it. "The Defense Science Board Task Force did a review of DOD reliance on critical infrastructure and found that an astute opponent could attack and harm the DOD's capabilities," says James Lewis, a senior fellow specializing in cyber security at the Center for Strategic and International Studies.
At a forum in July, NSA Director Gen. Keith Alexander was asked to rate the state of U.S. preparedness for an attack on critical infrastructure on a scale of 1 to 10. He responded, "I would say around a 3." The reasons include the inability to rapidly detect and respond to attacks, a lack of cyber security standards and a general unwillingness by both private companies and government agencies to share detailed information about threats and attacks. The DOD and intelligence agencies don't share information because they tend to overclassify it, says Hayden. And critical infrastructure providers prefer to keep things to themselves because they don't want to expose customer data and they're concerned about the liability issues that could arise and the damage their reputations could suffer if news of an attack were widely reported.
"The rules of the game are a little fuzzy on what you can and cannot share," says Edward Amoroso, chief security officer and a senior vice president at AT&T, noting that his biggest concern is the threat of a large-scale DDoS attack that could take down the Internet's backbone. "I need attorneys, and I need to exercise real care when interacting with the government," he says.
In some cases, critical infrastructure providers are damned if they do share information and damned if they don't. "If the government provides a signature to us, some policy observers would say that we're operating on behalf of that government agency," he says. All parties agree that, in a crisis, everyone should be able to share information in real time. "But talk to five different people and you'll get five different opinions about what is OK," says Amoroso. Unfortunately, government policy initiatives intended to resolve the issue, such as the cyber security Act, have failed to move forward.
"It was disappointing for us that this nonpartisan issue became so contentious," says Weatherford. The lack of progress by policymakers is a problem for the DHS and the effectiveness of its National cyber security and Communications Integration Center (NCCIC). The center, which is open around the clock, was designed to be the nexus for information sharing between private-sector critical infrastructure providers -- and the one place to call when there's a problem. "I want NCCIC to be the '911' of cyber security," he says. "We may not have all the answers or all the right people, but we know where they are."
Meanwhile, both the number of attacks and their level of sophistication have been on the rise. Richard Bejtlich, chief security officer at security consultancy Mandiant, says electric utilities and other businesses are under constant assault by foreign governments. "We estimate that 30% to 40% of the Fortune 500 have an active Chinese or Russian intrusion problem right now," he says. However, he adds, "I think the threat in that area is exaggerated," because the goal of such attacks is to steal intellectual property, not destroy infrastructure. (Read our timeline of critical infrastructure attacks over the years.)
Others disagree. "We've seen a new expertise developing around industrial control systems. We're seeing a ton of people and groups committed to the very technical aspects of these systems," says Howard Schmidt, who served as cyber security coordinator and special assistant to the president until last May and is now an independent consultant.
"People are too quick to dismiss the link between intellectual property loss through cyber intrusions and attacks against infrastructure," says Kurtz. "Spear phishing events can lead to the exfiltration of intellectual property, and that can have a spillover effect into critical infrastructure control system environments."
Spear phishing attacks, sometimes called advanced targeted threats or advanced persistent threats, are efforts to break into an organization's systems by targeting specific people and trying, for example, to get them to open infected email messages that look like they were sent by friends. Such attacks have been particularly difficult to defend against.
Then there's the issue of zero-day attacks. While software and systems vendors have released thousands of vulnerability patches over the past 10 years, Amoroso says, "I wouldn't be surprised if there are thousands of zero-day vulnerabilities that go unreported." And while hacktivists may brag about uncovering vulnerabilities, criminal organizations and foreign governments prefer to keep that information to themselves. "The nation-state-sponsored attack includes not only the intellectual property piece but the ability to pre-position something when you want to be disruptive during a conflict," Schmidt says.
Usually in espionage it's much easier to steal intelligence than it is to do physical harm. That's not true in the cyber domain, says Hayden. "If you penetrate a network for espionage purposes, you've already got everything you'll want for destruction," he says.
On the other hand, while it's impossible for a private company to defend itself from physical warfare, that's not true when it comes to cyber attacks. Every attack exploits a weakness. "By closing that vulnerability, you stop the teenage kid, the criminal and the cyber warrior," says Pescatore.
Computerized control systems are a potential problem area because the same systems are in use across many different types of critical infrastructure. "Where you used to turn dials or throw a switch, all of that is done electronically now," Schmidt says.
In addition, many industrial control systems that used to be "air-gapped" from the Internet are now connected to corporate networks for business reasons. "We've seen spreadsheets with thousands of control system components that are directly connected to the Internet. Some of those components contain known vulnerabilities that are readily exploitable without much sophistication," says Marty Edwards, director of control systems security at the Industrial Control Systems cyber Emergency Response Team (ICS-CERT) at the DHS. The organization, with a staff that's grown tenfold to 400 in the past four years, offers control system security standards, shares threat data with critical infrastructure providers and has a rapid response team of "cyber ninjas," high-level control systems engineers and cyber security analysts who can be deployed at a moment's notice.
Last year, ICS-CERT issued 5,200 alerts and advisories to private industry and government. "[Edwards] had teams fly out seven times last year to help businesses respond to events that either took them offline or severely impacted operations," says Weatherford, who declined to provide details on the nature of those events.
Control systems also suffer from another major weakness: They're usually relatively old and can't easily be patched. "A lot of them were never designed to operate in a network environment, and they aren't designed to take upgrades," Schmidt says. "Its firmware is soldered onto the device, and the only way to fix it is to replace it." Since the systems were designed to last 10 to 20 years, organizations need to build protections around them until they can be replaced. In other cases, updates can be made, but operators have to wait for the service providers who maintain the equipment to do the patching.
So where should the industry go from here?
The place to start is with better standards and best practices, real-time detection and containment, and faster and more detailed information sharing both among critical infrastructure providers and with all branches of government.
While some progress has been made with standards at both the DHS and industry groups such as the NERC, some argue that government procurement policy could be used to drive higher security standards from manufacturers of hardware and software used to operate critical infrastructure. Today, no such policy exists across all government agencies.
"Government would be better off using its buying power to drive higher levels of security than trying to legislate higher levels of security," argues Pescatore. But the federal government doesn't require suppliers to meet a consistent set of security standards across all agencies.
Even basic changes in contract terms would help, says Schmidt. "There's a belief held by me and others in the West Wing that there's nothing to preclude one from writing a contract today that says if you are providing IT services to the government you must have state-of-the-art cyber security protections in place. You must have mechanisms in place to notify the government of any intrusions, and you must have the ability to disconnect networks," he says.
But government procurement policy's influence on standards can go only so far. "The government isn't buying turbines" and control systems for critical infrastructure, says Lewis.
When it comes to shutting down attacks, faster reaction times are key, says Bejtlich. "Attackers are always going to find a way in, so you need to have skilled people who can conduct rapid and accurate detection and containment," he says. For high-end threats, he adds, that's the only effective countermeasure. Analysts need high visibility into the host systems, Bejtlich says, and the network and containment should be achieved within one hour of intrusion.
Opening the kimono
Perhaps the toughest challenge will be creating the policies and fostering the trust required to encourage government and private industry to share what they know more openly. The government not only needs to pass legislation that provides the incentives and protections that critical infrastructure businesses need to share information on cyber threats, but it also needs to push the law enforcement, military and intelligence communities to open up. For example, if the DOD is planning a cyber attack abroad against a type of critical infrastructure that's also used in the U.S., should information on the weakness being exploited be shared with U.S. companies so they can defend against counterattacks?
"There is a need for American industry to be plugged into some of the most secretive elements of the U.S. government -- people who can advise them in a realistic way of what it is that they need to be concerned about," says Hayden. Risks must be taken on both sides so everyone has a consistent view of the threats and what's going on out there.
One way to do that is to share some classified information with selected representatives from private industry. The House of Representatives recently passed an intelligence bill, the cyber Intelligence Sharing and Protection Act, which would give security clearance to officials of critical industry operators. But the bill has been widely criticized by privacy groups, which say it's too broad. Given the current political climate, Hayden says he expects the bill to die in the Senate.
Information sharing helps, and standards form a baseline for protection, but ultimately, every critical infrastructure provider must customize and differentiate its security strategy, Amoroso says. "Right now, every business has exactly the same cyber security defense, usually dictated by some auditor," he says. But as in football, you can't win using just the standard defense. A good offense will find a way around it. "You've got to mix it up," Amoroso says. "You don't tell the other guys what you're doing."
This story, "After Stuxnet: The new rules of cyber war" was originally published by Computerworld.