The reported hack against an Illinois water utility company in November brings to the forefront one of the biggest public and private sector concerns when it comes to Critical Infrastructure Protection (CIP) - cyber security. Whether it is defending against cyber terrorism, cyber warfare, or malicious hackers, it seems clear that securing our countries critical infrastructure must be a nationwide priority. Unfortunately, this and other recent incidents raise serious questions on our state of readiness when it comes to defending against these threats.
For the Illinois water utility hack, why was a contractor allowed to access the SCADA system from Russia? If access from remote countries were allowed per policy, why was it mistaken for a breach? If policy disallowed, why weren't appropriate authentication and access controls in place? How does a plant failure attributed to a cyber attack in June only get reported to DHS in November?
While some of the questions are unique to this specific incident, they highlight concerns shared by many when it comes to cyber security practices and standards employed in the defense of critical infrastructure. Since American Presidential Directive PDD-63 concerning CIP was enacted in May of 1998, progress has been made. However, one has to question whether we've caught up or fallen further behind.
The increasing connectedness of infrastructure not only makes us more vulnerable to cyber security attacks but increases the cascading effect an attack can have on other infrastructure sectors and capabilities. When PDD-63 was enacted, my guess would be that same Illinois water utility wasn't even accessible via the internet. Today, much if not most of our critical infrastructure is either directly connected or indirectly via corporate networks that are. Another example of this is the recently reported South Houston incident where a hacker remotely compromised a SCADA HMI system via the internet.
Within some industries good standards and practices exist, NERC CIP being a great example. However, for the majority of critical infrastructure sectors, definitive and enforceable standards are absent. This leaves many private industries taking a wait and see approach. Why invest time and resources in cyber security when a future defined standard could nullify the investments made? In an ideal world, private industry would just “do the right thing.” However, implementing a comprehensive cyber security plan is complex and costly. Combine that with a constrained economy and one can understand why many are sitting on the sideline or taking a very conservative approach.
One can only hope that whatever did happen at that Illinois water utility company will have a big impact on policy makers across the private and public sector. If nothing else, let's hope it's a wake up call. The infrastructure we rely on that enables our country to operate and to defend itself is vulnerable. The time to act is now.
Chris Petersen is the co-founder and CTO at LogRhythm.