In the nine months since Stuxnet focused attention on the threat of cyberattacks to critical infrastructure such as the power grids, oil and gas and water services, too many executives and security officials in those industries continue to consider it someone else's problem.
"When you ask people [in those positions], how Stuxnet has altered how they do things, some people said ‘well I don't have that equipment here or I don't have centrifuges,' " said Michael Peters, Energy Infrastructure & Cyber Security Advisor to the Federal Energy Regulatory Commission. What they're not saying, is "I have to think about how my people handle thumb drives and who has access to what."
Stuxnet, designed to impact the control systems operating centrifuge equipment, is believed to have been introduced to secure systems at Iranian Nuclear facilities via thumb drives. Peters' comment, during a panel discussion following the release of a new study on cyber security at critical infrastructure facilities in the U.S. and 13 other countries, felt like a "duh" moment. "Some get it," he said. Not everyone does.
The report, "In the Dark: Crucial Industries Confront Cyberattacks," commissioned by McAfee and written by the Center for Strategic and International Studies (CSIS), supports Peters's assessment of the state of concern, or, lack of it, in the industry.
It follows to a 2010 report, "In the Crossfire: Critical Infrastructure in the Age of Cyberwar" and it is harsh. (For more on report, read Cyberattacks on critical infrastructure intensify.)
Not surprisingly, the panelists placed much of the blame for the inadequate response to cyberattacks on a lack of political will and resources.
"It costs lots of money. That's why we haven't done it," said Peters. "It's not just politics. Businesses don't want to spend more money on this; privacy advocates are wary of any effort that would make the network more controlled, less anonymous; and other countries are unenthusiastic about [the U.S.] approach to defense as excuse to protectionism."
There is also a lack of trained personnel, said Kevin Gronberg, Senior Counsel, Committee on Homeland Security, U.S. House of Representatives and a panelist for the McAfee/CSIS event.
"This is very different than corporate IT," Gronberg said. "In corporate IT you're used to changing systems, rollover of 18 months. In utilities control it's a 40 year lifecycle, these things don't rollover."
"Who really understands this threat?" he asked. "Maybe there are 1,000 real experts out there, when you might need 30,000. Then when you consider the subset that understands critical infrastructure control systems... You may have companies trying to do right thing, who can't find the people to do it.
Even for those doing something about security, it's a question of what and how much, Gronberg said.
"In asking folks about defensive measures, it's crucial to ask how are they implementing those," he said. "It's one thing to say we have a firewall in place, but if it is not implemented correctly, that's not really a defense."
Put another way, it's one thing to have a firewall in place... it's another if you allow employees to carry thumb drives past the firewall at will.
- The Pentagon must keep pace with the iPhone, but can't and won't
- Special Report: Stuxnet may be the Hiroshima of our time
- 5 smart grid trends that intrigue me
- Cyber-crime is not just a law enforcement issue anymore