As we kicked off our March #SecChat on critical infrastructure, the first question on many participants’ minds was one of definition: What makes an infrastructure critical in the first place?
There seem to be countless general definitions for critical infrastructure floating around, and quite a few short lists of which infrastructures should be included. None of these lists or definitions should be considered definitive, as the criteria will continue to expand over time. As our followers pointed out, “critical” could define any infrastructure whose prolonged disruption would cause significant distress. This includes industries we traditionally think of as critical infrastructure, like gas, oil and electric, but it can also include things like the Internet, which many modern infrastructures now rely on.
One point of agreement quickly reached, however, was the fact that critical infrastructure has been, and is now, a target for organized attack.
One interesting question posed by @CaffSec was whether or not Internet connectivity should be built in to critical infrastructure, given the added threat of cyber attack. The fact that network connectivity is now vital to so many critical systems can be a troubling thought, as @ChetWisniewski pointed out, the most damaging attacks cause cascading failure. If the Internet or the power grid goes, so do many other critical services. Still, @JadedSecurity asserted that taking critical infrastructure off the Internet would only remove the word “cyber” from the threat – critical infrastructure is and always will be at risk.
Another point touched upon was that the combination of old and new makes many industries more vulnerable. @JadedSecurity and @ChetWisniewski chimed in that the reason SCADA systems seem to be in the spotlight more often is that they’re still being configured with unrealistic assumptions of isolation. @LabNuke agreed, adding that the situation gets complicated because although many organizations want to upgrade legacy systems, the upgrades can be prohibitively expensive and hard to justify to business higher-ups.
When asked about some non-technical strategies for improving CI security, @chrisjager suggested an improvement in training, authorities and delegations, incident handling and change management, while @ArchangelAmael noted that end user training has been effectively ignored in the past. In addition, @JadedSecurity noted that executives now expect to be able to use any and all personal devices at work – a security risk that the organization is not necessarily equipped to handle, or willing to pay for.
Finally, one of our last topics on the table was government assistance – what can the government do to help or hinder the protection of critical infrastructure? I believe that accelerated depreciation or refundable tax credits would encourage CI companies to invest in security resources. But as @japi999 pointed out – are governments ready to increase their cyber defense budget, even if it means putting less money towards traditional defense? It’s a tough question, and something to watch closely as time goes on.
Thanks to everyone who joined us for this month’s #SecChat discussion. It was great to hear the input of so many industry thought leaders, and I look forward to seeing some of you in next month’s chat!
Our April #SecChat will be held on Thursday, April 19th at 11am PT on the topic of Datacenter Security. Stay tuned for more detailed information on the topic here in the blog, and from @IntelSec_Biz on Twitter.