Why more steps to protect critical infrastructure are needed



(Editor’s note: In this Last Watchdog guest essay, By Lior Frenkel, CEO and co-founder of Waterfall Security Solutions, points out that some level of work is being done to protect industrial controls.)

By Lior Frenkel, Special to Last Watchdog

Most computers controlling critical infrastructures are protected by IT-style security at best. The problem is that IT-style protections are routinely bested by everyone from Chinese intelligence agencies to hacktivists who adopted Chinese attack techniques years ago.

IT security experts have largely given up blocking these attacks at network perimeters and are deploying tools to find compromised computers after the fact. This may meet business network needs. However, allowing an enemy on the other side of the planet remote control of safety-critical computers, even temporarily, is unacceptable.

The good news is that while critical infrastructures targets in many nations are not prepared for sophisticated attacks, the North American power sector is becoming an exception.

More and more critical infrastructure sites are recognizing this threat and taking action; deploying Unidirectional Security Gateways (USGs) to completely block attacks originating on business networks or the Internet. They deploy physical security programs to prevent physical modifications to critical computers, and they are deeply suspicious of every bit of information which enters control system computers from outside: USB flash sticks, CDs, and even the hard drives of new computers. All new information is tested thoroughly on isolated test beds before being trusted on a critical network.

All American nuclear generators have programs like this in place. Even more conventional generators – gas, hydro and coal – have such programs as well. America’s water systems are not far behind. In the power sector, the recently approved North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Version 5 security regulations encourage the use of USGs and require physical security programs. Water sector standards are still being developed.

What we enjoy now is a small window of grace. Sophisticated attack techniques have become widely known, now that details of the Stuxnet attack and attacks by Chinese intelligence agencies have been well-documented. Nation-states are reluctant to use these techniques on each other’s critical infrastructures, since such action will likely be considered an act of war.

Terrorist groups and hacktivists have not yet decided to start using these well-documented techniques in their campaigns. Many critical infrastructure sites, particularly in the power sector and increasingly in the water sector, are taking this opportunity to put serious defensive capabilities in place. Even more sites need to be encouraged to do so.

About the essayist: Lior Frenkel is CEO and co-founder of Waterfall Security Solutions, a leading provider of stronger-than-firewalls solutions, such as Unidirectional Security Gateways, for industrial control networks and critical infrastructures. The company’s products are deployed in utilities and critical national infrastructures throughout North America, Europe, Asia and the Middle East. Frenkel has 20 years of experience in large scale hardware and software research and development, including government, military and enterprise-level cyber-security systems. Lior holds a B.Sc. in Computer Science and Statistics from Bar-Ilan University.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone