Critical infrastructure: A clear and present danger
By Benjamin Cher February 17, 2016
- Air gap philosophy is ‘fools’ gold’ in today’s connected world
- Security need to be ‘baked in’ from the onset and not ‘glued on’
CRITICAL infrastructure like power grids and water supplies has been the target of many theoretical cyber-attacks by academics and white hat hackers for years now, but with the recent shutdown of a power plant in Ukraine by hackers, this threat has now crossed from white-paper territory and into the real world.
But governments and industry are now responding, moving beyond just discussions and towards actual action, according to Robert ‘Bob’ Lentz, who sits on the board of directors at Boulder, Colorado-based cybersecurity company LogRhythm.
“It is starting to accelerate the seriousness of the discussion, moving past esoteric high-level feel-good statements to serious action,” Lentz told Digital News Asia (DNA) on a recent visit to Singapore.
“Very significant investments are being made across … both the private and public sectors to try to get ahead of this problem,” he added.
While the financial services sector has been leading the charge with its FS-ISAC (Financial Services Information Sharing and Analysis Centre) information-sharing community, other sectors are also slowly adapting to the changing threat landscape, according to Lentz.
“What they are starting to see clearly is that threats are becoming so sophisticated that they are a clear and present danger, and not something they can put off for much longer,” he said.
Lentz is a 34-year cybersecurity veteran, and has even held various public-sector defence positions, according to LogRhythm, including at the US Department of Defence and National Security Agency.
The ‘air gap’ myth
The best defence one might have is to not step into the battlefield at all, a strategy that critical infrastructure operators have used since the dawn of automation. After all, the most secure network is the one not connected to anything.
However, in today’s connected world where systems are expected to be interoperable, this idea of an ‘air gap’ is not a feasible strategy, Lentz argued.
“People are realising that ‘air gap’ philosophies are ‘fools’ gold’ when it comes to security.
“If you look at the [US retail giant] Target attack, it was through the HVAC (heating, ventilating and air conditioning) system.
“Adversaries will find a way to get into any kind of interconnected world,” he said.
The introduction of mobile devices into organisations, spurred by the BYOD (Bring Your Own Device) trend, has made this problem even more challenging by taking away the perimeter, he added.
When he served as the chief assurance officer at the Department of Defence, Lentz recalled an instance when the French and Russian ministers of defence declared that they would simply operate without the Internet.
“They said we’re not going to connect to the Internet, we are going to wall that off … [for military operations] because it is too dangerous.
“Two or three years later, I remember getting a book from the French Government written by [Nicolas] Sarkozy, the former president, about France moving into the cybersecurity world,” he said.
The French realised that they, like everyone else, have to be connected in today’s world.
“You can’t live in your little shell and say ‘I’m in an ‘air gapped’ environment’ and expect to conduct business in the 21st century,” said Lentz.
But he also acknowledged that the understanding of cybersecurity is deepening, and the notion of security just being the subject of a checklist is changing.
“People are finally realising that cybersecurity is not just popping in a firewall, or popping in some sort of password system to feel good.
“The checklist philosophy is going out the door very quickly – people who still believe in the ‘air gap’ philosophy are living in a fantasy world,” he added.
Private sector efforts
The private sector is cottoning on to efforts led by the public sector, with Lentz in town to work with companies in establishing a non-profit standards group for what is being called the ‘cyber-physical environment.’
“I believe that people are starting to realise that a lot of the cyber-physical world has been 20th century legacy technologies,” he said.
“They are starting to see the fact they are moving to much more modern interoperable features that will have Internet-based protocols. They have to figure out a way to secure them in a cost-effective manner,” he added.
And standards are the answer, Lentz argued.
“The first thing we have to do is solidify the standards and architectures – by doing that, we will start to drive down costs.
“What we have right now in the security industry over the past 15 years is a plethora of disjointed security technologies, and we are now just starting to come together in a more cohesive way to deal with threats,” he added.
Driving costs down with standards will allow for industries to have security from the onset, instead of just bolting it on as an afterthought.
“We need various industries to come together with common standards and more advanced technology, to drive the cost down so we can secure them,” said Lentz.
“We want security ‘baked-in’ from the beginning, versus what we’ve done in the last 15 years in the security industry, which was to ‘glue on’ security after the fact – this drives up costs and makes it pretty ineffective.
“The industry is starting to realise that we can’t make the same mistake as we enter the next wave of the Internet, the cyber-physical wave,” he added.
Smart city disorder
There is also growing realisation that as more smart cities are developed, there would be a growing danger that cybercriminals can cause chaos and destruction in the physical world.
“The Internet of Things (IoT) really makes the destructive side of cybersecurity a reality,” said Lentz.
“Up till now, it’s been about stealing identities and information, and cyber-espionage, but you’re now talking about knocking a high-speed train off its tracks, or dealing with a power plant or a financial calamity,” he added.
Lentz also warned that with technology evolving so quickly, it doesn’t require a large or well-funded group to take down crucial services.
“The problem is that threat groups are becoming so sophisticated that even small groups can create anarchy in a country by shutting down critical infrastructure; it doesn’t have to be a large group like Al-Qaeda or a nation state,” he added.
New EY centre to tackle critical infrastructure security
Threats targeting critical infrastructures: Frost
The threat landscape runneth over, here’s what we need to do
‘Hackers’ – tech reality finally catches up with Hollywood?
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.