Saturday, July 5, 2014

Critical Infrastructure as the Next "Cyber War"

I'm tired of reading headlines that say stuff like "It's [cyber] the next war!" because not only are they spreading FUD (fear, uncertainty, doubt) but if this was really the case we [as Americans] would already have "lost".

One of the things the FUD-sters like to ballyhoo about is the nation's critical infrastructure and how our power plants, water treatment facilities and chemical processing plants will be [or already are] targets for foreign nation states in a sneaky digital assault. News flash - this has been going on for some time, and while it's crystal clear to anyone paying attention that the nation's critical infrastructure is in a seriously neglected state when it comes to security - this likely isn't America's biggest problem.

Let me be clear, I believe the power grid, water supply, and other things including our beer manufacturers are in dire need of a security overhaul. We've been letting security get derelict for so long, the state of things is not good. The truly frightening part isn't knowing that things are horribly wide-open ... no, it's realizing that it would take a full stop of things we cannot live without like our power grid for several days (weeks maybe?) to fix some of these issues.

In a podcast conversation with Patrick Miller of NESCO and EnergySec way back in September 2012 we talked about the critical state of things. He enlightened me as to why the energy providers aren't just jumping up and "fixing it" like people are demanding. For example, the issues the power grid has aren't fixed by applying the equivalent of a Windows patch. Many of these issues require deployment of new hardware into the electricity transmission system - which means shutting down power to huge swaths of the grid for extended periods of time. We're not just fixing a buffer overflow here, as in many cases the 'hack' is as simple as plugging in an old serial cable into a port and getting unauthenticated access to the piece of equipment. This is the really scary, systemic and architectural type of security failure that takes a generational change to remedy - because the lifespan of some of this gear is now 3-5 years like in corporate America, but rather 10-25 years in some cases.

While raising awareness is almost always good, more FUD like we are seeing in the mainstream media isn't helping anyone except those looking for clicks. Let's face it, we need a strategy, not knee-jerk reactions and sensationalism. On the other hand ... if "Kamikaze Panda" (see what I did there?) were to decide that China is going to attack America's infrastructure and try and cripple us ... I'm willing to bet we could just do the same right back. Zero-sum game, in my opinion.

What is needed is a holistic review and re-engineering... not patches. The challenge of course is that first we need to phase out this equipment without disrupting businesses and life for citizens. Maybe the "bad guys" will do this for us, or more than likely we'll experience a failure not related to OMG HACKING and that will bring about security improvements - but more as a side-effect than as a goal. I'd like to say I'm optimistic...but the realist in me says we'll see more bemoaning and critical failures before someone antes up the time, money, and resources to revamp the nation's critical infrastructure.



db1981 said...

I would say that phasing out the old hardware is kind of difficult...utilities are experiencing a significant shrink in their profits, so unless the Government pays for this...
Moreover, while vendors have improved their software quality in recent years, even modern products are vulnerable, so phasing out might not fix the problem...

anode said...

Power Grid attacks (successful):
Terrorists 0
Cyber Jihad 0
Squirrels tens of thousands.