How to Protect the Nation’s Segmented Critical Infrastructure
When the average person hears that rival nations, criminal organization, and individuals are targeting the U.S.’s power grid, they picture apocalyptic scenarios ofthe country returning to the dark ages the or terrorists controlling the nation’s infrastructure like a video game. Although these might be Hollywood fantasies, cyber-attacks against the nation’s critical infrastructure can result in very real, and very serious, consequences.
On November 20th, NSA Director and U.S. Cyber Command Commander Admiral Michael Rogers addressed the threat of cyber-attacks to U.S. critical infrastructure systems before the House Intelligence Committee. In response to a question about what malware can do to critical infrastructure systems, Adm. Rogers stated, “It enables you to shut down very segmented, very tailored parts of our infrastructure.” The nation’s segmented infrastructure is the result of both intentional separation of assets and the hodge-podge of companies across different industries with varying levels of security, resources, and technologies.
In SecureState’s experience, not all companies supporting the critical infrastructure are prepared to handle cyber threats. In particular, small and mid-size utility companies lack the resources to manage a truly effective security program. These resource limitations force them to focus on meeting the bare minimum of security compliance, rather than maintaining sustainable, effective security practices. These problems are exacerbated by fixed operating costs that make it difficult to allocate funding for security.
SecureState’s hands-on experience testing various parts of the nation’s smart grid (including testing vulnerabilities in smart meters, capacitor bank controllers, reclosers, voltage sensors, mesh networks, and wireless backhaul links) has provided us some insight into how utility companies can improve their security posture:
• Utility companies can usually only make investments during large projects. They should ensure that adequate security expenses are taken into account when requesting funding/rate changes tied to specific projects
• Our experience indicates that a lot of devices used by utility companies are difficult to secure. They can mitigate some of the expense associated with device security by focusing their limited budgets on ensuring that associated networks have robust monitoring and alerting systems.
• Utility companies should have documented incident response plans and ensure that relevant personnel are trained in incident response. These plans should allow your company to effectively identify incidents, quickly activate response procedures, and engage appropriate local and state authorities.