Threats to our Critical Infrastructure
Our Industrial Controls Systems (ICS) are threatened. On Face the Nation, Page 2 (http://www.cbsnews.com/video/watch/?id=50140746n), February 10, 2013, James Lewis, Senior Fellow from the Center for Strategic and International Studies describes the threats to our utilities. Lewis continues describing that the largest threats are posed by Iran or a rogue group. Though this segment included other cyber threat discussions, the takeaway is that we are not prepared for a Cyber Attack on our infrastructure.
North American Electric Reliability Corporation (NERC), Federal Energy Regulatory Commission (FERC), Department of Homeland Security (DHS), Congress, and the electric industry have said it is important to secure the electric grid. September 27, 2012, the presidents of the American Public Power Association (APPA), Edison Electric Institute (EEI), Electric Power Supply Association (EPSA), Nuclear Energy Institute (NEI), and the National Rural Electric Cooperative Association (NRECA) sent a letter to Senator Rockefeller proclaiming the importance of cyber security and stating they were working to secure the electric industry. Control system cyber incidents are real and numerous.
Joe Weiss, a Professional Engineer and Silicon Valley HTCIA member has a database which contains more than 75 electric industry control system cyber incidents (this does not count power plants). Weiss advises that the number is growing. However, the electric industry and NERC generally have been silent on disclosing control system cyber incidents even within the industry.
There have been numerous discussions about the differences between compliance and security. The spirit of the NERC Critical Infrastructure Protection (CIPs) is to maintain the reliability of the electric grid in the face of cyber threats. However, the reality is the NERC CIPs fall far short of meeting that spirit. Specifically, the February 8, 2013 NERC Lessons Learned document provided four case histories that in the IT world would be considered denial-of-service events. Each of the four incidents has occurred elsewhere in the electric and other industries. In most cases, they were unintentional but it was not immediately obvious they were unintentional. In addition, there were cases where the similar incidents were caused maliciously. What does this mean for the HTCIA and those charged with investigating High Tech Crime?
Similar to the situation in the late 1980’s and early 1990’s, law enforcement and utility investigators will have to learn new skills to investigate how an attack occurred, identification of those responsible, collection of evidence and documenting the event for later prosecution. Though it is easy to state what is needed, actually conducting an investigation of an ICS Cyber event is another issue. The DHS has the lead and is moving forward to address this issue. In the short term, HTCIA Chapters such as Western Canada are hosting training events to help its members understand the issues. Western Canada is offering a two day mobile forensics and Supervisory Control And Data Acquisition (SCADA) training, June 10 and 11, in Calgary. Other chapters are beginning to offer ICS training and recruiting investigators from local utilities to join the HTCIA. The International Conference will also be offering training related to ICS Investigations.
My recommendations, if you have not already done so, are to identify Critical Infrastructure Protection assets within your communities or area of responsibility. These may include sewage treatment, electrical, water, and communications assets. Recruit members of their IT or investigative staff and ask that they provide training on ICS. Meet with them and take the time to understand the realities that they face. I would like the HTCIA to help DHS and be in the forefront of protecting our Critical Infrastructure assets. If nothing else, it is a challenge to learn something new and possibly stop a terrorist event from becoming a reality. Good luck!
By Tom Quilty (email@example.com)