How Could the American Blackout Happen?
"What makes cyber unique is the ability for an attacker to overcome the challenges of time, space, and scale." – Michael Assante, Board Director and Advisor to Council on CyberSecurity, leading expert on energy sector cybersecurity.
Cyber attacks against America’s critical infrastructure, including the power grid, are intensifying at an alarming rate. According to the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), from October 2012 to May 2013 there were 200 brute-force cyber attack incidents, surpassing the 198 total attacks in all of fiscal year 2012. Of those 200 attacks, 53% targeted the energy sector with an additional 3% solely targeting the nation’s nuclear sector. The attackers deployed methods as varied as spear-phishing attacks, SQL injections, and watering hole attacks. Continuing cyber intrusions directed against critical infrastructure make evident the imperative for greater cybersecurity. This upsurge of cyber threats aimed at critical infrastructure is one of the most pressing national security challenges facing the nation.
Current challenges in cybersecurity are a function of shortcomings in three major areas: people, technology and policy. This includes a shortage of qualified cybersecurity professionals, a lack of clarity in terms of what technology to use and which measures to implement first, and a lack of consistency in effective corporate and public policy
Today, the cybersecurity field suffers from a lack of definition that leaves employers and managers guessing at what is needed in terms of competencies. Businesses are nearly completely in the blind regarding how much, if any, investment is required to recruit, develop, and retain top cyber talent to maintain and defend their networks. In 2003, the Northeast Blackout underscored the importance of ensuring qualified professionals with competent skills to build, operate, maintain, and inspect the nation’s most critical infrastructure. In this case, the lack of proper training and certification requirements for personnel were found to be a causal factor in this large-scale system failure. In terms of process and technology, there is a nearly-infinite list of good things an enterprise can do to enhance its cybersecurity posture, yet this abundance of action items has actually made the path forward less clear. The overwhelming multitude of choices has created a phenomenon that the Council on CyberSecurity Director of Programs Tony Sager, has dubbed the "Fog of More". This "Fog" has hampered our efforts to gain clarity in what we ought to do next. Finally, while there are many government initiatives to address the challenge, there is still a lack of clear public policy (including laws, regulations and standards of due care), as well as inconsistency in corporate policies (what and where to invest scarce resources for maximum impact).
How We Are Preparing
"We should be prepared to deal with cyber attacks that may result in difficult to restore power outages." – Michael Assante
Good technical defensive practices, as outlined in the 20 Critical Security Controls (CSC) combined with a skilled workforce, provide the best defense against cyber attacks. Implementation of the Controls makes it more difficult and risky for the adversary to do the necessary reconnaissance; minimizes the opportunity for an adversary to pre-place his attack infrastructure, like jump points, collection points, beacons, and "sleeper" malware; and additionally provides a known, managed environment that can recover significantly faster. Power companies are diligently working to develop cyber talent and implement practices to further reduce the likelihood that these events could take place. It would take an incredibly complex and resourced attack to plunge all of the U.S. into the dark as there is a diversity in the type of technology, configurations and architectures across numerous power entities. Historically, utility companies have risen to address reliability challenges, and today they are actively working to defend against cyber attacks.
The Way Forward
"We believe the answer to enterprise protection in cyberspace starts with the 20 Critical Security Controls." – Tony Sager, Director of Programs, Council on CyberSecurity
The Council believes that all three elements of the cyber ecosystem – people, technology, and policy – must be considered together and brought into alignment in order to create a foundation of security practices that are understandable, usable and scalable for every individual. To manage the cybersecurity of the American economy and this nation’s critical infrastructure we must find ways to develop civilian professionals who can build and manage secure, reliable digital infrastructures and effectively identify, mitigate and plan for the serious threats we face. Action to professionalize our cybersecurity workforce must begin now. To cut through the "Fog of More", the 20 Critical Security Controls provide an actionable plan to organize defense, focus resources, align tools and technologies. The Controls are the standard of due care for enterprise cybersecurity. Sensible public and corporate policies must be promoted and enforced to ensure that meaningful action is taken to overcome vulnerabilities. With qualified people using the right technology to craft sensible, effective policy, we can make cybersecurity best practice become common practice.