Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
7/22/2015
07:00 PM
Steve Grobman
Steve Grobman
Partner Perspectives
50%
50%

Out of Aspen: State of Critical Infrastructure Cybersecurity, 2015

The good, bad, and potentially worse of critical infrastructure protection.

There has been a significant post-9/11 focus on securing critical infrastructure systems – many of which pre-date the Networked Age and were potentially more vulnerable to attack than newer networked systems. Cyber-attacks on critical infrastructure systems have not yet resulted in the loss of human lives. And yet a number of recent events suggest that a closer look at the state of critical Infrastructure cybersecurity is necessary to determine progress and unfulfilled needs.

The annual Aspen Security Forum takes place this week in Aspen, CO. This two-day line-up of national security panels and 1:1 discussions presents a great forum to gauge the state of critical infrastructure cybersecurity. In cooperation with the Aspen Institute, Intel Security surveyed security professionals in energy production, financial services, transportation, telecommunications, and many government functions to determine what progress has been made, and what areas require greater attention.

Our survey results revealed the good, the bad, and the potentially worse of critical infrastructure protection:

·       The good news: no catastrophic loss of life and an improved confidence in critical infrastructure cyber security postures

·       The bad news: cyber-attacks are real, increasing, and capable of real, substantive damage to our critical infrastructure

·       The potentially ugly: attacks are likely to become fatal and could escalate from the digital to physical realms.

First, consider the good news.

Respondents demonstrate a significant degree of confidence in the state of their cybersecurity posture – confidence registered by both satisfaction in their security defenses and a perceived decline in vulnerability to attacks in recent years. Half of respondents considered their organizations “very or extremely” vulnerable three years ago. By comparison, 27 percent believe that their organizations are currently “very or extremely” vulnerable today.

Eighty-four percent are “satisfied” or “extremely satisfied” with the performance of their own security tools such as endpoint protection, network firewalls, and secure web gateways. If anything, the greatest threat to critical infrastructure appears to be human rather than technical. As we’ve seen in other areas, the most common cause of successful attacks on critical infrastructure is human error – users falling victim to social engineering such as spear phishing.

This confidence does not mean that they are complacent.

More than 70 percent think the threat to their organizations is escalating. Almost 9 out of 10 experienced at least one attack in the last three years that caused some damage, disruption, or data loss, with a median of close to 20 attacks per year. Forty-eight percent believe it likely to extremely likely that a critical infrastructure cyber-attack will result in human fatalities in the next three years.

While they continue to look at further investment in various security areas, the vast majority think that greater cooperation and public-private partnerships with national and international agencies are important to keep pace with the escalating threat landscape.

What form would these joint activities take? Well, the top rated suggestions were joining a national or international defense council to share threat intelligence and defense strategies, taking coordinated direction on cyber defense, or even national legislation that requires cooperation with government agencies. The majority of respondents felt that their own government as well as international agencies could be valuable and respectful partners in cybersecurity, and many were open to sharing network visibility if it was deemed vital to national or global cyber defense.

However, one caution was that more than three-quarters of the security professionals supported the use of national defense forces to retaliate in response to a fatal critical infrastructure attack within the country. Given that only a third think that nation-state security services are behind the serious attacks on their organization, identifying a target for retaliation is problematic. Even if a nation-state is responsible, how do you conclusively determine the source of the attack, when it is using code borrowed or bought from organized crime in one country and servers spread across 5 other countries?

It is essential for the public and private owners and managers of critical infrastructure to act now. Nobody wins if a digital conflict escalates into conventional, kinetic conflicts between nations. Developing successful public-private cooperation today will help us avoid military escalation scenarios tomorrow.

Steve Grobman is the chief technology officer for Intel Security Group at Intel Corporation. In this role, Grobman sets the technical strategy and direction for the company's security business across hardware and software platforms, including McAfee and Intel's other security ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2002-0390
PUBLISHED: 2019-07-21
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2002-0639. Reason: This candidate is a reservation duplicate of CVE-2002-0639. Notes: All CVE users should reference CVE-2002-0639 instead of this candidate. All references and descriptions in this candidate have been removed to prevent ...
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.