Presentation to National Coal Council on need for improved critical industrial infrastructure protection in energy sector.

1. Urgent Need for Improved
Critical Industrial
Infrastructure Protection
By William J McBorrough, MSIA, CISSP, CISA, CRISC, CEH
Principal, Secure Intervention

2. Agenda
 Introduction
 What is the risk?
 What are the threats?
 What can government do?
 What can Industry do?
 Closing thoughts
 Questions

3. Introduction
 Critical Industrial Infrastructure includes electricity
grids, nuclear power plants, coal power plants, water and
sewer facilities, etc
 85% owned and operated by private, for-profit interests.

4. What is the risk?
 According to Department of Homeland Security – “ Attacks
using components of the nation’s critical infrastructure could
disrupt the functions of government and business and have
devastating physical and psychological consequences.”

5. What are the threats?
 On June 1, New York Times reported cyber attack against
Iran’s Nantanz nuclear power plant, which was first
discovered in June 2010, was the work of US and Israel.1
 ‘Stuxnet” was a computer worm that was hand carried into
facility. It infected the control systems causing physical
damage.

6. What are the threats? ……cont’d
 In May 2012, the Department of Homeland Security warned
of ongoing cyber attacks against “gas pipeline sector”.2
 Attacks began in December 2011
 Attacks use sophisticated spear-phishing techniques

7. What are the threats? ……cont’d
 In October 2011, security researchers released a report
detailing discovery and analysis of “Duqu”.3
 Duqu bears similarities to Stuxnet, possibly by some
responsible parties.
 Duqu is an espionage malware used to gather information
useful in attacking industrial control systems.

8. What are the threats? ……cont’d
 In 2010, McAfee released a global “Critical Infrastructure
Protection” report stating “ 80% of companies surveyed
faced large-scale denial of service attacks, and 80%
experience a network infiltration” .4

9. How can government help?
 Reasonable regulatory framework like the Security and
Regulatory Standards by National American Electric
Corporation (NERC) for bulk power industry
 Increased public-private collaborations through programs
like FBI’s Infragard and National Infrastructure Protection
Center
 Countries like China, Japan and Italy have already taken more
aggressive stance including government regulations and
audits

10. What can industry do?
 Participate in public-private collaborative efforts and help
drive regulatory framework that actually makes sense.
 Implement internal policies and procedures to govern use of
systems and networks
 Increase security controls in your networks and systems

11. Closing thoughts
 Successfully tackling the problem requires the public and
private sectors working together.
 Technological advances like smart grids provide significant
benefits, but also introduces huge security risks.
 More action is needed now to avoid the inevitable over-
reaction that will undoubtedly follow the also evitable
catastrophic attack against our critical infrastructure.

12. Questions?
 Welcome to send follow up question to me at
wjm4@secureintervention.com
 Connect on LinkedIN at www.linkedin.com/in/mcborrough
 Follow me on Twitter @securnetworks

13. References
 http://www.nytimes.com/2012/06/01/world/middleeast/obam
a-ordered-wave-of-cyberattacks-against-iran.html1
 http://www.csmonitor.com/USA/2012/0505/Alert-Major-
cyber-attack-aimed-at-natural-gas-pipeline-companies2
 http://www.crysys.hu/publications/files/bencsathPBF11duqu.
pdf3
 http://www.mcafee.com/us/resources/reports/rp-critical-
infrastructure-protection.pdf4