Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:44 PM
Patricia Keefe
Patricia Keefe

Baked-In Security

While much of the Monday-morning quarterbacking of the response to Hurricane Katrina revolves around poor communication, bureaucratic missteps, sluggishness, and red tape on both the state and federal levels, the disaster got me thinking about something entirely different: the readiness of our national infrastructure--roughly 80% of which lies in private hands--to withstand or bounce back from a disaster or cyberattack of similar proportions.

While much of the Monday-morning quarterbacking of the response to Hurricane Katrina revolves around poor communication, bureaucratic missteps, sluggishness, and red tape on both the state and federal levels, the disaster got me thinking about something entirely different: the readiness of our national infrastructure--roughly 80% of which lies in private hands--to withstand or bounce back from a disaster or cyberattack of similar proportions.One look at New Orleans and the Mississippi cities of Gulfport and Biloxi makes it very clear what happens when we have wholesale, widespread shutdowns of key utilities--water, electricity, fuel, and communications: chaos, panic, and death. It also points to the perils of inadequately secured ports, oil rigs, and levees. It's not good.

Now, we don't have oil rigs and levees everywhere. And a Category 5 hurricane is not a common occurrence. That is not the point. The issue isn't even whether anything could have withstood the howling winds, storm surge, and flooding wrought by Katrina. Clearly not.

The issue is that we do have chemical plants all over the place, key ports of entry ringing the country, a network of interstate highways and skyways, and a national grid of utility, water, communications, and network services we all take for granted. These pieces of our critical infrastructure have long been considered prime targets for physical and cyberattack, and, indeed, it may not be possible to protect them from a determined attacker.

But it is possible to put into place physical and cyber safeguards, and it is possible to have a detailed, thought-out plan for recovery in the event of, say, a major shutdown of the electricity grid or air-traffic control. We just assume these things are so.

Which is why, I think, as stunning as the images of destruction are--and you don't expect to see that kind of devastation in the United States--the country seems more shocked by the aftermath. We perhaps naively expected to see an almost instantaneous response--the kind we are accustomed to seeing our nation lend to other planetary citizens. And for whatever reasons, when it did not happen, the shock was felt around the world. Closer to home, people died.

And yet, it could be worse. The question that is going to have to be addressed at some point in the angst-ridden postmortem is this: What if this level of disaster happens again? On a broader, more nationwide scale? We can no longer say terrorist attacks and the unbridled wrath of Mother Nature don't hit here. The last four years make it clear they do. And we can no longer assume that when these disasters strike, wrecking the level of havoc they do, that we'll be bouncing back to normal in no time. We won't.

Give our focus on technology, I cannot help but wonder about a wider scale shut down of key services driven by cyberattacks and whether we've made any progress in the area of cybersecurity beyond the many committees, subcommittees, and proclamations that have been created over the last four years to address the subject. So it seemed a good time to check in with the security experts at the SANS Institute, specifically its longtime director of research, Alan Paller. As it turns out, my timing was perfect--in recent weeks there has been progress on this very issue, including "three or four" conversations about it at the White House level. Among the changes under way:

  • An old idea that could go a long way toward addressing the cybersecurity side of critical infrastructure has gotten new wind recently as three current and former federal CIOs -- Karen Evans, the head of E-government and chair of the Federal CIO Council; Lisa Schlosser, CIO at HUD; and John Gillian, formerly CIO of Energy, recently retired CIO of the Air Force now a senior exec at SRA--have renewed efforts to push the idea. Variously called "The Big Idea" and "Baked-in Security," the idea is to lead the way by using federal procurement to set new security standards and to force vulnerability testing. Using the clout of government contracts, these CIOs are essentially advocating pushing some of the security responsibility down to the vendors. The thinking is that if the feds can demand a certainly level of security and monitoring capabilities built into the PCs they buy--i.e., Center For Internet Security-compliance--how long will it be before Boeing says, "Hey, we want those too," and more ordinary companies and consumers chime in as well? Paller asks.

  • On the physical security front, in turns out that the utility companies are working together as you read this to pull together a standard for Scada (Supervisory Control and Data Acquisition) industrial control systems, a very big deal further explained by InformationWeek Editorial Director Bob Evans in an Aug. 29 column on our annual security issue. According to Paller, "The utilities are getting together and saying, 'Wait a minute, Scada provider. When you sell your next system to us, it has to have these characteristics.'"

    The reason there is so much excitement over "Baked-in Security" is fourfold, Paller explains:

  • It recognizes that only the federal government has the money to force, or if you prefer, persuade vendors, to make these changes. "It radically lowers costs to do it once, at the supplier level, rather than having to harden systems at every desktop after deployment."

  • The hoped for "catalytic" changes can have widespread impact since we are not talking about fighter jets or systems specific to the narrow needs of some agency. We're talking about ordinary systems used everywhere for a variety of purposes. The feds run hospital systems, power plants, telephone networks--you name it, Paller says. "There is nothing these guys [critical infrastructure suppliers] run that the feds don't run, so the federal buying power is highly relevant."

  • It transfers some big pieces of the security responsibilities back onto the vendor. For example, instead of an agency doing vulnerability testing of the software it is buying, Paller says, the government is picking up on an idea he attributes to Gartner, and starting to put together RFPs that require developers to run a vulnerability test of their software on the platforms they are proposing the customer buy. The vendor is too embarrassed to deliver systems that fail the vulnerability tests, so they fix them. This way customers are provided with secure systems at the outset. Procurement is also being considered as a way of requiring vendors to include facilities for automated monitoring of security of software or hardware so that it stays safe.

  • The expectation is that the requirements at the federal level will roll over to everyone eventually, upping the level of secure systems all around.

    A little closer to my original question, at best, Paller says we can expect to see mobile recovery technology, starting with mobile communications, improved "radically" following the lessons learned from Katrina. But in terms of large-scale impact on the national infrastructure, he is doubtful. More likely, he predicts, will be the changes wrought over time by the initiatives he described above. Let's hope those CIOs find some willing listeners.

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Why Cyber-Risk Is a C-Suite Issue
    Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
    The Cold Truth about Cyber Insurance
    Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
    Black Hat Q&A: Hacking a '90s Sports Car
    Black Hat Staff, ,  11/7/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-11-13
    P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A, versions earlier than Emily-AL00A, versions earlier than NEO-AL00D NEO-AL00 have an improper validation vulnerability. The system does not perform...
    PUBLISHED: 2019-11-13
    P30 smartphones with versions earlier than ELLE-AL00B have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.
    PUBLISHED: 2019-11-13
    Huawei smartphones with versions earlier than Taurus-AL00B have an improper authentication vulnerability. Successful exploitation may cause the attacker to access specific components.
    PUBLISHED: 2019-11-13
    Smartphones with software of ELLE-AL00B,,,,,, have an insufficient verification vulnerability. The system does not verify certain par...
    PUBLISHED: 2019-11-12
    mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.