Hard Truth: Most critical infrastructure providers lack the tools, skills and mindset to deal with cyber attacks and APTs.
Baking in an appreciation for security among organizations' employees is just as important, if not more so, than baking security into IT systems themselves. Unfortunately, critical infrastructure providers face difficult personnel-related challenges when it comes to cybersecurity. A key obstacle is that certification requirements for control systems engineers – providers' front-line troops in cyber-related conflicts – put little or no emphasis on cybersecurity for critical infrastructure.
For example, the certification exam to get a Control Systems Engineer (CSE) license from the International Society of Automation (ISA) devotes less than 10 percent – and possibly closer to just one or two percent – of its content to network security. The test makes no mention at all of cybersecurity for critical infrastructure. Neither do the audit criteria for certification by the Control Systems Integrators Association (CSIA), which do include risk management and configuration management as part of CSIA's project management and supporting activities responsibilities.
Five Hard Truths About Critical Infrastructure Protection
Five Hard Truths About Critical Infrastructure Protection
Once considered the unthinkable, real-life cyber attacks on critical infrastructure have taken center stage in the past three years. Advancing technologies, evolving cyber threats and a little piece of malware called Stuxnet have catapulted cybersecurity of real-world infrastructure from an academic backwater to a top government and industry priority. From power plants to water treatment sites to traffic control systems, critical infrastructure once thought invulnerable to targeted cyber attacks now lies squarely in the crosshairs.
Over the past two decades, asset owners and operators have added IT systems to help improve management of the ubiquitous industrial control systems (ICS) that perform essential mechanical functions of all kinds. These systems have led to improved service, lower costs and technological marvels such as smart grids. Unfortunately, they have also exposed critical infrastructure to software vulnerabilities that adversaries can exploit through malware and advanced persistent threats (APTs).
Critical infrastructure providers now find themselves in a harrowing position: They must protect both physical and digital assets, but often know less than their adversaries do about those assets' vulnerabilities and how to remediate them. The complexity of IT-enabled critical infrastructure has multiplied the difficulty of protecting it, as have the skyrocketing frequency, sophistication and severity of cyber attacks over the past ten years. Consequences for failure can be catastrophic, but finding the right resources to improve protection can be challenging and expensive – making the decision to invest in security a painful business dilemma.
To protect themselves and their stakeholders from escalating cyber threats, critical infrastructure owners must first acknowledge five hard truths, according to Raju Dodhiawala, vice president and general manager at ManTech.
