Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Need for Improved Critical Industrial Infrastructure Protection
1. Urgent Need for Improved
Critical Industrial
Infrastructure Protection
By William J McBorrough, MSIA, CISSP, CISA, CRISC, CEH
Principal, Secure Intervention
2. Agenda
Introduction
What is the risk?
What are the threats?
What can government do?
What can Industry do?
Closing thoughts
Questions
3. Introduction
Critical Industrial Infrastructure includes electricity
grids, nuclear power plants, coal power plants, water and
sewer facilities, etc
85% owned and operated by private, for-profit interests.
4. What is the risk?
According to Department of Homeland Security – “ Attacks
using components of the nation’s critical infrastructure could
disrupt the functions of government and business and have
devastating physical and psychological consequences.”
5. What are the threats?
On June 1, New York Times reported cyber attack against
Iran’s Nantanz nuclear power plant, which was first
discovered in June 2010, was the work of US and Israel.1
‘Stuxnet” was a computer worm that was hand carried into
facility. It infected the control systems causing physical
damage.
6. What are the threats? ……cont’d
In May 2012, the Department of Homeland Security warned
of ongoing cyber attacks against “gas pipeline sector”.2
Attacks began in December 2011
Attacks use sophisticated spear-phishing techniques
7. What are the threats? ……cont’d
In October 2011, security researchers released a report
detailing discovery and analysis of “Duqu”.3
Duqu bears similarities to Stuxnet, possibly by some
responsible parties.
Duqu is an espionage malware used to gather information
useful in attacking industrial control systems.
8. What are the threats? ……cont’d
In 2010, McAfee released a global “Critical Infrastructure
Protection” report stating “ 80% of companies surveyed
faced large-scale denial of service attacks, and 80%
experience a network infiltration” .4
9. How can government help?
Reasonable regulatory framework like the Security and
Regulatory Standards by National American Electric
Corporation (NERC) for bulk power industry
Increased public-private collaborations through programs
like FBI’s Infragard and National Infrastructure Protection
Center
Countries like China, Japan and Italy have already taken more
aggressive stance including government regulations and
audits
10. What can industry do?
Participate in public-private collaborative efforts and help
drive regulatory framework that actually makes sense.
Implement internal policies and procedures to govern use of
systems and networks
Increase security controls in your networks and systems
11. Closing thoughts
Successfully tackling the problem requires the public and
private sectors working together.
Technological advances like smart grids provide significant
benefits, but also introduces huge security risks.
More action is needed now to avoid the inevitable over-
reaction that will undoubtedly follow the also evitable
catastrophic attack against our critical infrastructure.
12. Questions?
Welcome to send follow up question to me at
wjm4@secureintervention.com
Connect on LinkedIN at www.linkedin.com/in/mcborrough
Follow me on Twitter @securnetworks