Securing critical infrastructure no short term fix, experts say

a “game changer.”

Weatherford said, “This was the first piece of malicious code developed and targeted very specifically for a control system for a very specific singular purpose.”

He added, “Someone could have taken out those 968 centrifuges with a kinetic device just as easily and probably, with less expense than it took the time to develop the Stuxnet malware. But to see it happen the way it did, is a game changer.”

Karl Gumtow, president and CEO of CyberPoint International, echoed this statement.

“It’s a game changer because of the fact that they are looking at different ways to get the same thing across,” he said.

“It’s not the first time a control system has been attacked, it’s not the first time something has been done in that way. But, people are now thinking more about “How can I get the outcome I want?”

The attack has put security experts on high alert because “water, manufacturing, and electrical plants that are using these various control devices could be targeted by malicious code like [Stuxnet] now,” Weatherford warned.

“It changes the perception that you can target a specific piece of equipment, and not only that, a specific version of a piece of equipment,” he said.

When faced with such a diverse array of threats, Bryan Ware, CEO and co-founder of Digital Sandbox, said that businesses and governments must make the difficult choice of prioritizing what they need to defend because it is impossible to defend against everything.

“We can’t be chasing vulnerabilities because that will never end. The way you have to do it is identify what your missions are, prioritize those missions, and prioritize the assets that support those missions,” he said.

Ware went on to say,“Conceptually, it’s hard, but it’s really the only way you ever stand a chance at being able to prevent an attack successfully.”

Ware said that organizations must also define what is most critical to them and that it was impossible to establish broad guidelines across sectors because each organization’s needs are entirely different.

“You can’t have just one definition,” he said.

What may be “critical to the national defense, the national security, and our national economy” is likely to be different than what the state of Maine is most worried about, while “the things that are absolutely critical to my business, probably not a lot of other people care about,” Ware explained.

“It’s very difficult to make value judgments on what’s important and to what degree it’s important.”

According to Ware, some states have made decisions to only monitor a set number of pieces of infrastructure. While this may assist with prioritizing resources, it is an inflexible approach that leaves a significant portion of infrastructure vulnerable. In addition selecting a set list of infrastructure to protect invariably contains a bias towards one industry or sector.

“At any given time there may be a lot of assets you didn’t know were critical that all of a sudden become critical. Everything has a degree of criticality and it changes depending on the circumstances and the situation,” Ware said.

Instead, Ware recommends that organizations take a portfolio management approach. They should identify all types of vulnerabilities and “catalogue it all.”

Ware says that an organization’s goal should be to “manage a large library of assets, understand as many things that are going on as you can, understand how they come together – in different situations and scenarios, threat types, vulnerability types, prioritization schemes, and even different regulatory and governmental schemes – and understand how to manage that complex portfolio.”

“You need to have high quality data for the most important stuff, but you need to know all the stuff that’s in there as much as you can. So you increase the breadth of your situational awareness and allow that to push things to the top to focus the depth of your analysis on,” Ware continued.

In closing, the panel’s moderator, Mischel Kwon, the former director of the U.S. Computer Emergency Readiness team, cautioned that securing critical infrastructure was a difficult process that will take a long time to address.

But according to Kwon, “We’re making progress in that we’re looking at this in a broader scope and that we’re not just pigeonholing cyber away from physical.”

She concluded that it was unrealistic to “[find] a solution to this tomorrow.”

“I think this is a bigger problem than that and I do think we have to keep looking.”