In this series of articles running through July, RealClearPolitics and RealClearDefense take an in-depth look at the intersection of cybersecurity, technology, and warfare in the 21st century. Below is Part 6.
Recently, a malware called Trisis was discovered that was specifically designed to access controls and cause leaks or explosions and sabotage an electric company’s industrial control system. This was a warning shot to both the public and private sector, most especially to utility companies that deliver electricity to customers. Industry executives now know they must implement a multilayered strategy to protect against such cyberthreats.
Critical infrastructure is dependent on electricity. If the electric grid were shut down by a cyberattack, crucial functions of daily life ranging from ATM and online banking transactions to heating and cooling your homes – and shopping for food and gasoline – would come to a halt.
“As cyberattacks spill over into the physical world and potentially impact life and safety, our layered defenses must also evolve,” Mark Orlando, chief technology officer for Raytheon’s managed security services business, said in an email exchange. “It is critical that we pair our layered cyber defenses with the proper oversight, supply chain management, regulatory controls, and user training and awareness to help protect our critical infrastructure.”
Multiple tactics exist for the private sector to protect against cyberthreats. A firewall is one type of technology that monitors and controls incoming and outgoing traffic based on predetermined security rules, establishing a barrier between a trusted internal network and untrusted external network such as the Internet.
Identity and access management is another strategy that defines and manages the access privileges of a network’s users. Access can be granted or denied based on assigned privileges. After a digital identity has been created, it must be maintained, modified and monitored throughout each user’s “access lifecycle.”
Username and password authentication is another component of identity management. Multifactor authentication includes tracking and creating reports about user activities and enforcing policies on an ongoing basis. Requiring more than one method of authentication is powerful because it serves as a risk management strategy and supports threat prevention.
An effective cybersecurity strategy protects data, such as classified or personal information and trade secrets. Encryption uses algorithms that convert data, such as text messages, emails and data uploads, into ciphertext, which are unreadable codes. Because information cannot be accessed and exploited by unauthorized users, confidential data can move from one network to another without being compromised.
Cyber risk access points multiply as companies adopt interconnected and integrated technologies. Sharing cyberthreat information decreases the likelihood that one cyberthreat or attack will affect multiple stakeholders. In theory, one entity identifies a cyberthreat or attack and shares the collected information with public and private sector partners.
Actionable intelligence is then applied to protect partners’ networks. The intent is for data and systems to become more secure and less prone to cyberattacks with shared intelligence and resources. Without data sharing, it is almost impossible to detect, defend and contain systemic attacks early.
The state of Nevada recently created a Cyber Defense Center to ensure that essential services, such as electricity, are delivered to the public in the event of an outage from a cyber breach. It will act as a “nerve center”for statewide cybersecurity preparedness, risk assessment, response and threat mitigation resource. Each state in the U.S. should create such a centralized center to streamline cyber operational strategies.
Recognizing the importance of grid security, U.S. Energy Secretary Rick Perry recently announced the creation of the Office of Cybersecurity, Energy Security, and Emergency Response. It is devoted to preparing and responding to physical and cyberthreats on our grid and demonstrates that energy infrastructure is a priority to the nation.
Meanwhile, the Defense Department is building a Cyber Mission Force with over 6,000 personnel across all the branches of service and the National Guard. The teams will conduct defensive and offensive cyberspace operations and information network operations. Almost all the teams have reported that they are ready now, well ahead of the fall target date.
The National Institute of Standards and Technology’s National Cybersecurity Center of Excellence builds “example solutions” using standards-based commercially available products to address energy sector cybersecurity challenges. The term “example” is used because the solution created by the NCCoE is not the only answer to address an issue – it is an example. These projects include situational awareness, identity and access management and asset management.
Jim McCarthy, senior security engineer at the NCCoE’s Energy Sector Projects, shared in a recent email exchange that the center collaborates with utility companies, technology vendors, government agencies and academia to produce example solutions. These solutions can then be adopted by the energy sector and tailored to their environment to address cybersecurity challenges.
In response to the continuous waves of cyberattacks against U.S. corporations, the Active Cyber Defense Certainty Act was introduced in Congress to allow corporations to defend themselves in the cyber domain. The bill would allow private companies to enter an external network without authorization and strike back at attackers. While this sounds prudent, some cybersecurity experts fear that such measures run the risk of ever-greater escalation — and other unintended consequences.
Adm. Mike Rogers, who recently retired as head of the National Security Agency, cautioned Congress against passing laws that make “hacking back,” as this process is called, standard behavior. “My concern is to be leery of putting more gunfighters out on the street in the Wild West,” he warned.
International cooperation is also required for companies to effectively protect against cyberthreats. At a conference in Munich earlier this year, representatives of Siemens, IBM, Cisco and Daimler (pictured) signed a charter of trust to focus on security standards and supply chain integrity.
Supply chain cybersecurity is especially important considering that a customer transaction service for U.S. natural gas companies was recently disrupted by a cyberattack. Such forays are conducted to gain information about gas industry buyers and sellers and even issue fake transactions.
Last month, the largest and most complex North Atlantic Treaty Organization international cyber defense exercise took place. Called “Locked Shields,” it entailed NATO members protecting critical infrastructure and information technology systems from a cyberattack, specifically focusing on disruptions to the electric grid and other critical infrastructure.
Furthermore, European Union members participating on the Permanent Structured Cooperation on Defense are increasingly focused on cybersecurity. They have identified specific projects that address countering cyberthreats and improving cybersecurity, backed by the European Defense Fund and individual member states.
To protect private companies from cyberthreats, a multilayered security approach must be implemented to protect networks from intruders. Cyberthreat protection strategies are tailored to the priorities of each company. A one-size-fits-all solution is not possible. Even when security measures are in place, they must be maintained and tested to ensure they are protected from cyberthreats that change continuously. Cooperation with international partners will boost cybersecurity protections, considering that cyberthreats have no borders.
As vice president of the Lexington Institute, Constance Douris publishes articles and gives speeches about electric grid cybersecurity. You can follow her on Twitter @CVDouris and the Lexington Institute @LexNextDC.