Panel: Security execs failed to learn Stuxnet's lessons

Panel: Security execs failed to learn Stuxnet's lessons

Summary: Since Stuxnet brought chilling attention on the threat of cyberattacks to critical infrastructure such as the power grids, oil and gas and water services, too many executives and security officials in those industries continue to consider it someone else's problem.

SHARE:
TOPICS: Security, Hardware
3

In the nine months since Stuxnet focused attention on the threat of cyberattacks to critical infrastructure such as the power grids, oil and gas and water services, too many executives and security officials in those industries continue to consider it someone else's problem.

"When you ask people [in those positions], how Stuxnet has altered how they do things, some people said ‘well I don't have that equipment here or I don't have centrifuges,' " said Michael Peters, Energy Infrastructure & Cyber Security Advisor to the Federal Energy Regulatory Commission. What they're not saying, is "I have to think about how my people handle thumb drives and who has access to what."

Stuxnet, designed to impact the control systems operating centrifuge equipment, is believed to have been introduced to secure systems at Iranian Nuclear facilities via thumb drives. Peters' comment, during a panel discussion following the release of a new study on cyber security at critical infrastructure facilities in the U.S. and 13 other countries, felt like a "duh" moment. "Some get it," he said. Not everyone does.

The report, "In the Dark: Crucial Industries Confront Cyberattacks," commissioned by McAfee and written by the Center for Strategic and International Studies (CSIS), supports Peters's assessment of the state of concern, or, lack of it, in the industry.

It follows to a 2010 report, "In the Crossfire: Critical Infrastructure in the Age of Cyberwar" and it is harsh. (For more on report,  read Cyberattacks on critical infrastructure intensify.)

Not surprisingly, the panelists placed much of the blame for the inadequate response to cyberattacks on a lack of political will and resources.

"It costs lots of money. That's why we haven't done it," said Peters. "It's not just politics. Businesses don't want to spend more money on this; privacy advocates are wary of any effort that would make the network more controlled, less anonymous; and other countries are unenthusiastic about [the U.S.] approach to defense as excuse to protectionism."

There is also a lack of trained personnel, said Kevin Gronberg, Senior Counsel, Committee on Homeland Security, U.S. House of Representatives and a panelist for the McAfee/CSIS event.

"This is very different than corporate IT," Gronberg said. "In corporate IT you're used to changing systems, rollover of 18 months. In utilities control it's a 40 year lifecycle, these things don't rollover."

"Who really understands this threat?" he asked. "Maybe there are 1,000 real experts out there, when you might need 30,000. Then when you consider the subset that understands critical infrastructure control systems... You may have companies trying to do right thing, who can't find the people to do it.

Even for those doing something about security, it's a question of what and how much, Gronberg said.

"In asking folks about defensive measures, it's crucial to ask how are they implementing those," he said. "It's one thing to say we have a firewall in place, but if it is not implemented correctly, that's not really a defense."

Put another way, it's one thing to have a firewall in place... it's another if you allow employees to carry thumb drives past the firewall at will.

Related Content:

Topics: Security, Hardware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • RE: Panel: Security execs failed to learn Stuxnet's lessons

    One lesson "security experts' just can't learn is the value of getting "off the grid"!! Way too many systems have compromised security because unaware execs always decide for convenience as opposed to security risk. Set up your OWN internal control net and do NOT allow brdging to a public net for any reason, and security will be much better.
    Willnott
  • RE: Panel: Security execs failed to learn Stuxnet's lessons

    More than just a thumb drive, physical security and isolation of secure systems.
    Altotus
  • RE: Panel: Security execs failed to learn Stuxnet's lessons

    I think this 'consumerization of IT' movement that all of the bloggers and non-IT Admins are gung ho about deserves a mention here.

    Of course, if/when a security breach does occur, it's not the bloggers and non-IT Admins who have to worry about their jobs. It's the guys who said no due to "some power trip" or "not wanting to support X device", or, my favorite "the IT Admin is a fanboi of X brand"...

    I'd like to start a 'consumerization of payroll' movement... where I can bring [i]my[/i] calculator to the payroll dept, and let's use that to figure my paycheck every period.
    UrNotPayingAttention