I had the privilege to attend an industry event in September 2019, where William Evanina, Director of US National Counterintelligence and Security Center (NCSC), was speaking to some of IIoT’s foremost researchers who are at the forefront of the innovations that will shape the critical infrastructure of tomorrow. In his passionate talk, Mr. Evanina elaborated on the changing focus within the US Counterintelligence strategy, moving from an adversary-based approach to a more open-yet-focused strategy intended to keep critical elements of the United States economy protected and strong. It goes without saying that the security of Critical Infrastructure was a pillar of Mr. Evanina’s message and one of the key focus areas in this shift in US Counterintelligence strategy.
This updated strategy makes complete sense. With all the advances in technology, across a wide spectrum of fields, the world as we know it is changing at a pace never seen before. Not surprisingly, this directly correlates to the threats that are increasing around us, coming together to form unprecedented risk against us. Cybercrime is no longer solely about illegal movie downloads or accessing credit card information – both of which are more prevalent than ever before – cybercrime is now bridging the gap into the physical world, where real threats against the very systems that deliver our energy, our food and water supply, our healthcare can become compromised. Because these physical systems are so critical to our society, cyberattacks against them lead to significant “business” opportunity for the cybercriminal community.
Industrial control systems (ICS) are at the heart of many different vertical industries, controlling systems that run our manufacturing, manage our power grid and ensure safety of our oil fields, to name just a few key industries. With a mix of legacy platforms and new, innovative technologies coming together, ICSs are a critical focus area of this US Counterintelligence strategy.
I spoke at the ICS Cybersecurity Conference in Atlanta last month, with the goal of raising awareness of software protection as a key element of every system and device security strategy. While hardware security and network security are a well understood core of security requirements, software security remains less mature, focusing primarily on prevention of code vulnerabilities and blocking access from outside the system. However, as we see increased levels of connectivity and remote access from software applications running on more standardized devices, such as mobiles or PCs, we need to expand the scope of the threat landscape to scrutinize the software running on these devices. To ensure that software running on these standardized devices remains trusted, current secure software development practices need to be augmented in several key ways, such as:
- A broader view of business impacts from cyberthreats during the requirements phase.
- The addition of software hardening techniques during development.
- Enabling collection/analysis of security indicators/metrics on deployed devices.
- The use of machine learning to counter software threats.
The protection and safety of our critical infrastructure will depend on strict adherence to the old adage of “Defense-in-Depth”, and this has to be applied across all elements of an ecosystem, including any software accessing our critical systems.
As Admiral Rogers highlighted in his keynote speech at ICS Cybersecurity, the importance of private-public partnerships has never been more important. It is crucial for organizations like Homeland Security, the US FDA, the US Department of Energy, and similar organizations all around the world to drive the security requirements needed across industries to ensure that the common good is protected and safety standards are met. Equally important, however, is the commitment from the community members of these industries to share information and collaborate towards the overall improvement of security in their industry. While government bodies have a shallow-but-broad view of industry threats, it is the community members that have the best view on potential attack vectors, at-risk deployments, and upcoming experimental innovations which, while potentially increasing threat risk, may still prove hugely beneficial. Cybersecurity vendors must also share the insight they have accumulated over the years fighting these battles in other industries, so that no one is forced to reinvent the wheel. As differing public agencies establish the forums in which members of the community collaborate, it is critical that each private company contributes towards a common and solid security strategy for the industry.
November is Critical Infrastructure Security and Resilience Month but, with the volatile geopolitical and economic factors our world is facing, security diligence in critical infrastructure must be top of mind all the time.