As we look at the greatest threats to critical infrastructure including oil & gas, electric, water and transportation systems, we've pointed to the abundance of rhetoric in the press and the security community. Mandiant's intelligence team provided a report last month and identified the likeliness of ongoing attacks to the utilities industry, specifically as a target for cyber espionage from APT groups.
As we continue to focus on threats to utilities, we wanted to gauge the insights of the community. We asked a group of experts what they believed to be the biggest threat to critical infrastructure. Here were their responses:
The information and views set out in these responses are those of the respondents and do not necessarily reflect the official opinion of Mandiant Corporation.
Ben Rothke, Senior Information Security Executive
The biggest threat to critical infrastructure is the result of decades of insecurity; combined with an inadequate response to current known threats and vulnerabilities.
Kenneth Cole, Senior Policy Engineer at Insignia Federal Group
Poor infrastructure and lack of adequate security controls.
Lisa Foreman, CISSP, CEH, ECSA
Cyber-attacks! The ease and ability to find and exploit vulnerable systems.
Mark Wialbut of Fides Sales
A lack of trust. The problem with cybersecurity is that most of it happens after the fact - patching holes that have already been exploited, like closing the barn door after the cows have gone. Or scanning incoming data for suspicious code, no matter how good the algorithm, someone gets a step ahead. All of these "above the OS" measures add ongoing expense and latency, thus inconvenience, which ends up creating user resistance.
TRUST - A Human Concept that now must be applied to the electronics you rely upon. Almost all current security issues today can be traced to some form of an untrusted device. The missing piece in today's cybersecurity defenses is TRUST.
What's needed is much more "below the OS" cybersecurity built into the devices themselves. This is what will become the foundation for "Electronic Trust". As things are, the keys to the kingdom are vulnerable with relatively unsophisticated tools giving hackers easy access. Once they have the key, they are in; they only have to crack one device. Adoption of "trust" technologies built into the silicon itself would greatly increase the barrier to entry for hackers. With the use of techniques like Physically Unclonable Function (PUF) each and every device would have its own unique key that is nearly impossible (depending on the implementation) to hack and if hacked only provides access to that one user's unique key not the entire system. Right now, a sever has no idea if the device it's talking to is in fact the device it says it is because there is no basis for trust between these devices. They don't recognize each other in the way we humans do. Without trust there can be no real basis for security. The upfront cost of theses counter measures implemented in silicon is minimal, you only pay once and has very little, if any effect on the performance of the system.