The Imperative of Critical Infrastructure Protection – Cyber and Physical (articles/blogs by Chuck Brooks)

In my writings (and speeches) over the past few years, I have communicated the imperative for protecting critical infrastructure against the threat of both cyber and physical attacks. Below is a short compendium of several articles I composed on the topics. Thanks for reading and sharing!

———————————————————————————————————-

Emerging focus on cyber-threats to energy infrastructure

by Chuck Brooks in the Federal Times https://www.federaltimes.com/management/2016/10/18/emerging-focus-on-cyberthreats-to-energy-infrastructure/

Recently, the Kentucky Office of Homeland Security hosted an exercise simulating attacks on the power grid and government computer networks. Participants included law enforcement, first responders, and private sector representatives engaged in health and security.

The exercise centered on how the state would react if hackers were able to take down Kentucky’s energy grid while simultaneously engaged in the exfiltration of information from government computer networks. The goal was to provide a gap model and develop best practices that can be utilized by other states and by the federal Department of Homeland Security (DHS).

Also last week, InfraGard of the National Capital Region announced a partnership between the FBI and the private sector to protect critical infrastructure and provide a comprehensive effort to recognize and support National Critical Infrastructure Security and Resilience Month. The initiative supports the DHS’ National Protection and Programs Directorate’s (NPPD) Office of Infrastructure Protection mission to raise awareness around critical infrastructure protection during the month of November. The energy sector has been a key area of attention for the NPPD.

And perhaps the most concerning of news activity was the announcement by head of the United Nations nuclear watchdog, International Atomic Energy Agency Director Yukiya Amano, that a nuclear power plant in Germany was hit by a “disruptive” cyberattack within the past three years. Amano was quoted by Reuters as saying: “This issue of cyberattacks on nuclear-related facilities or activities should be taken very seriously. We never know if we know everything or if it’s the tip of the iceberg.” And he noted that this is ” not an imaginary risk.”

It should also be noted that in 2014, a computer in the control room at Monju Nuclear Power Plant in Tsuruga, Japan, was subjected to malware, but possibly by accident. And in 2015, South Korean hackers targeted Korea Hydro and Nuclear Power Company, but luckily to no avail. Most cyber experts believe that North Korea was behind the attempted cyberattack. These incursions are a wake-up call as there is a very real and growing fear that a future cyberattack on a nuclear plant could risk a core meltdown.

Non-nuclear power plants have also been subjected to intrusions and breaches. A hack in Ukraine was held up as a prime example. In December 2015, hackers breached the IT systems of the electricity distribution company Kyivoblenergo in Ukraine, causing a three-hour power outage.

Refineries, dams and data centers are all potential targets of cyber incursion. According to a report released last month titled “The Road to Resilience: Managing and Financing Cyber Risks,” oil and gas companies around the world could face costs of up to $1.87 billion in cybersecurity spending by 2018.

There have been attempted cyberattacks on grids and utilities, many via phishing and ransomware, and some have been successful. Adm. Mike Rodgers, head of the National Security Agency and U.S. Cyber Command, has stated that only two or three countries have the ability to launch a cyberattack that could shut down the entire U.S. power grid and other critical infrastructure.

Much of our grid still relies on antiquated technologies, and more investment in defenses are needed. As technology exponentially advances and as threat actors (including cyber mercenaries) gain tools via the dark web, that number of potential state-sponsored adversaries could expand in the near future.

In 2013, President Barack Obama issued Executive Order 13636, “Improving Critical Infrastructure Cyber-security,” which called for the establishment of a voluntary risk-based cybersecurity framework between the private and public sectors.

Congressman Trent Franks R-Ariz., chairman of the congressional EMP Caucus, and considered the foremost expert in Congress on electromagnetic pulses, has introduced legislation ( HR 3410) called the Critical Infrastructure Protection Act. The law would enable DHS to implement practical steps to protect the electric grid by training and mobilizing first responders for possible EMP events.

Along with Franks and Peter Prye, who heads the Task Force on National and Homeland Security (a congressional advisory board), several noted industry and policy experts, including former CIA Director Jim Woolsey; Frank Gaffney, former deputy secretary of defense and president and CEO of the Center for Security Policy; and Michael Del Rosso, former chairman of IEEE-USA Critical Infrastructure Protection Committee have been especially active in alerting the public to the critical need to find near-term solutions to protect the grid.

Clearly the entire energy critical infrastructure is justified in garnering the attention of DHS, states, regulatory organizations and the many subject-matter experts on the topic of cybersecurity.

While the threats are complex and the threat actors varied among hackers, state sponsors, organized criminal enterprises and terrorists, there are several themes to adhere to mitigate risk. These include:

  • Remain vigilant and continually analyze and game the energy cyberthreat landscape, as the methods, means and malware variants are constantly morphing.
  • Share and communicate cybersecurity information between the public and private sectors (a majority of the energy infrastructure is owned by the private sector). The government and industry are currently using pilot programs including Cybersecurity Risk Information Sharing Program and the Trusted Automated eXchange of Indicator Information to facilitate rapid sharing of security information. DHS NPPD has established an active and successful program in the area. DHS’ Cybersecurity Emergency Response Team responded to 295 cyber incidents in the energy sector in 2015.
  • Follow industry protocols, especially related to Supervisory Control and Data Acquisition (SCADA). Power companies use SCADA networks to control their industrial systems, and many of these networks need to be updated and hardened to meet growing cybersecurity threats.
  • Maintain robust access management control and cyber incident response programs. This includes following National Institute of Standards and TechnologyNorth American Electric Reliability CorporationFederal Energy Regulatory Commission and U.S. Nuclear Energy Regulatory Commission cybersecurity protocols.
  • Invest in next-generation security controls and cybersecurity technologies.

The World Energy Council says countries must raise their game in combating cyberattacks on nuclear and other energy infrastructures. They note that the frequency, sophistication and costs of data breaches are increasing. The expanding cybersecurity focus on energy infrastructure by both the public and private sectors is certainly a welcome development.

———————————————————————————————————

Meeting Security Challenges Through Vigilance, Readiness and Resilience

by Chuck Brooks

This photo, taken during the International Cybersecurity Forum held in Lille, France, shows cables attached to a protective cybersecurity system.

Photo: Philippe Huguen/AFP/Getty Images

In 2017 we are facing a new and more sophisticated array of physical security and cybersecurity challenges that pose significant risk to people, places and commercial networks. The nefarious global threat actors are terrorists, criminals, hackers, organized crime, malicious individuals, and, in some cases, adversarial nation states. Everyone and anything is vulnerable, and addressing the threats requires incorporating a calculated security strategy.

According to Transparency Market Research, the global homeland security market is expected to grow a market size of $364.44 billion by 2020. A large part of the spending increase over the past year is directly related to cybersecurity in both the public and private sectors.

A security strategy to meet growing challenges needs to be both comprehensive and adaptive. Defined by the most basic elements in managed risk, security is composed of:

  • Layered vigilance (intelligence, surveillance);
  • Readiness (operational capabilities, visual command center, interdiction technologies);
  • Resilience (coordinated response, mitigation and recovery).

The specifics of a security approach may vary according to circumstances, but the mesh that connects the elements is situational awareness combined with systematic abilities for critical communications in cases of emergency.

Because society is undergoing such a rapid technological change, the traditional paradigms for addressing threats are evolving with the security challenges. Two particular security challenges characterize the current and future connective landscape in both the public and private sectors: protecting critical infrastructure, and protecting the Internet of Things (IoT) and Smart Cities.

The Security Challenge of Protecting Critical Infrastructure

In the U.S., most of the critical infrastructure, including defense, oil and gas, electric power grids, health care, utilities, communications, transportation, education, banking and finance, is owned by the private sector (about 85 percent) and regulated by the public sector. Protecting the critical infrastructure poses a difficult challenge because democratic societies by their nature are open and accessible. According to the National Consortium for the Study of Terrorism and Responses to Terrorism, a Department of Homeland Security Science and Technology Center of Excellence based at the University of Maryland, between 1970 and 2015, 2,723 terrorist attacks took place in the U.S.; of these attacks, 2,055 (75 percent) targeted critical infrastructure.

Securing soft targets in public places such as airports, trains, buses, malls, schools, stadiums and hospitals necessitates layered vigilance such as security personnel, sensors, cameras, access controls (in some cases), and public/private information and threat sharing with law enforcement.

Among many terrorist incidents, the Paris and Brussels attacks, the Boston bombing, the Orlando nightclub shooting, and especially 9/11 demonstrated the importance of readiness. In those incidents, gaps in training, information sharing, planning, and the lack of interoperable communications between different jurisdictions of first responders led to confusion, and unfortunately risked additional casualties.

Lessons learned from those incidents have not only highlighted the requirements for stronger preparation that includes situational awareness and operational training, but also resilience. A key component of any reliance plan should include scalable communications platforms, geo-location mapping and incident management. Whether an incident is caused by an active shooter or a natural disaster, the ability to securely alert the endangered community, account for the location of threat actors and victims, and coordinate resources, is paramount for mitigation and saving lives.

It is not only physical security that is vulnerable, but the cybersecurity of critical infrastructure. Cybersecurity relies on the same security elements for protection as physical security: layered vigilance, readiness and resilience.

U.S. critical infrastructure systems experienced a 20 percent increase in attempted cybersecurity breaches in fiscal year 2015, according to an end-of-the-year report from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team.

SHARE

In an ecosystem of physical and digital connectivity, there will be vulnerabilities. A breach could be catastrophic.

Types of cyber threats include phishing scams, bots, ransomware, and malware and software holes that leave vulnerabilities in networks.

Globally, the power grid has been subjected to both physical and cybersecurity attacks in recent years. Cyber attacks have harmed elements of the critical infrastructure in the U.S. and elsewhere, including Ukraine where a successful attack knocked out part of the power grid. The energy industry provides a good case study for examination of the cyber threat to critical infrastructure. According to a Ponemon Institute reportthree-quarters of energy companies and utilities have experienced at least one recent data breach.

Protecting industrial control systems used by utilities from both physical and cybersecurity threats is a component of the dynamic threat environment and response matrix that constitutes their security environments. During escalating events, like downed power lines, pipeline leaks, or cyber attacks, real-time on-the-scene intelligence and operational alarms to relay critical information to the appropriate response personnel are an essential part of that response matrix.

In an ecosystem of both physical and digital connectivity, there will be always be vulnerabilities, and a breach or failure could be catastrophic. In all cases of critical infrastructure protection, the requirements of situational awareness and the ability to safely access, alert and message principals and communities cannot be underestimated.

The Security Challenge of the Internet of Things and Smart Cities

When you think of security challenges, there are none quite as daunting as the Internet of Things (IoT). Cisco estimates that there will be around 50 billion devices and sensors connected to the Internet by 2020. The enormous amount of endpoints in the IoT ecosystem allows for hackers to exploit them in a variety of ways. The research firm Gartner predicts that by 2020, more than 25 percent of identified attacks in enterprises will involve IoT.

There are dire implications of having devices and networks so digitally interconnected. Last October, hackers attacked domain name service (DNS) provider Dyn, causing disruption to major components of the Internet’s infrastructure, and temporarily bringing down hundreds of websites. The breach was the result of a distributed denial-of-service (DDoS) attack that sent millions of bytes of traffic to a single server to cause the system to shut down. The Dyn attack leveraged IoT devices, and some of the attacks were launched by common hardware like digital routers, webcams and video recorders infected with malware.

The DDoS cyber attack is an example of using a broad spectrum for a high profile and potentially deadly result. It is also a growing trend. DDoS attacks rose 71 percent between the third quarter of 2015 and the third quarter of 2016. The Internet was designed for ease of use and not with security purposes in mind. IoT’s system of endpoints and devices also allows for theft of data and ransomware installations (particularly frightening for hospitals using networks of medical devices and monitors).

Smart Cities are being developed as components of the universe of the IoT. The term “Smart City” connotes creating a public/private infrastructure to conduct activities that protect and secure citizens. The concept of Smart Cities integrates transportation, energy, water resources, waste collections, smart-building technologies, and security technologies and services. They are the cities of the future.

The functions and services of Smart Cities depend upon the secure networking of embedded sensors. These sensors can also be corrupted and breached like any digitally connected device and require strong cybersecurity software applications, hardware and protocols.

The more digitally interconnected we become in our work and personal lives, the more vulnerable we will become. Mitigating the cyber threats will grow as a priority and requires security awareness and that data be secure and reliable.

Protecting critical infrastructure and IoT/Safe Cities are just the beginning of security challenges as we adapt to the technological and cultural changes taking place in 2017 and onward. Every country, governmental jurisdiction, industry, company and individual has their own unique threat landscape to address. A security strategy based on the pillars of vigilance, readiness and resilience needs to be actualized against those threats. This is not only critical for risk management and incident response, but it is an imperative for mitigating harm in an increasingly connected and precarious world.

———————————————————————————————————

CYBERSECURITY EXPERT & HPC CONTRIBUTOR CHUCK BROOKS ON MEETING GROWING SECURITY CHALLENGES

https://highperformancecounsel.com/cybersecurity-expert-hpc-contributor-chuck-brooks-meeting-growing-security-challenges/

In 2017 we are facing a new and more sophisticated array of physical security and cybersecurity challenges that pose significant risk to people, places and commercial networks. The nefarious global threat actors are terrorists, criminals, hackers, organized crime, malicious individuals, and, in some cases, adversarial nation states. Everyone and anything is vulnerable, and addressing the threats requires incorporating a calculated security strategy.

According to Transparency Market Research, the global homeland security market is expected to grow a market size of $364.44 billion by 2020. A large part of the spending increase over the past year is directly related to cybersecurity in both the public and private sectors.

A security strategy to meet growing challenges needs to be both comprehensive and adaptive. Defined by the most basic elements in managed risk, security is composed of:

  • Layered vigilance (intelligence, surveillance);
  • Readiness (operational capabilities, visual command center, interdiction technologies);
  • Resilience (coordinated response, mitigation and recovery).

The specifics of a security approach may vary according to circumstances, but the mesh that connects the elements is situational awareness combined with systematic abilities for critical communications in cases of emergency.

Because society is undergoing such a rapid technological change, the traditional paradigms for addressing threats are evolving with the security challenges. Two particular security challenges characterize the current and future connective landscape in both the public and private sectors: protecting critical infrastructure, and protecting the Internet of Things (IoT) and Smart Cities.

THE SECURITY CHALLENGE OF PROTECTING CRITICAL INFRASTRUCTURE

In the U.S., most of the critical infrastructure, including defense, oil and gas, electric power grids, health care, utilities, communications, transportation, education, banking and finance, is owned by the private sector (about 85 percent) and regulated by the public sector. Protecting the critical infrastructure poses a difficult challenge because democratic societies by their nature are open and accessible. According to the National Consortium for the Study of Terrorism and Responses to Terrorism, a Department of Homeland Security Science and Technology Center of Excellence based at the University of Maryland, between 1970 and 2015, 2,723 terrorist attacks took place in the U.S.; of these attacks, 2,055 (75 percent) targeted critical infrastructure.

Securing soft targets in public places such as airports, trains, buses, malls, schools, stadiums and hospitals necessitates layered vigilance such as security personnel, sensors, cameras, access controls (in some cases), and public/private information and threat sharing with law enforcement.

Among many terrorist incidents, the Paris and Brussels attacks, the Boston bombing, the Orlando nightclub shooting, and especially 9/11 demonstrated the importance of readiness. In those incidents, gaps in training, information sharing, planning, and the lack of interoperable communications between different jurisdictions of first responders led to confusion, and unfortunately risked additional casualties.

Lessons learned from those incidents have not only highlighted the requirements for stronger preparation that includes situational awareness and operational training, but also resilience. A key component of any reliance plan should include scalable communications platforms, geo-location mapping and incident management. Whether an incident is caused by an active shooter or a natural disaster, the ability to securely alert the endangered community, account for the location of threat actors and victims, and coordinate resources, is paramount for mitigation and saving lives.

It is not only physical security that is vulnerable, but the cybersecurity of critical infrastructure. Cybersecurity relies on the same security elements for protection as physical security: layered vigilance, readiness and resilience.

U.S. critical infrastructure systems experienced a 20 percent increase in attempted cybersecurity breaches in fiscal year 2015, according to an end-of-the-year report from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team.

Types of cyber threats include phishing scams, bots, ransomware, and malware and software holes that leave vulnerabilities in networks.

Globally, the power grid has been subjected to both physical and cybersecurity attacks in recent years. Cyber attacks have harmed elements of the critical infrastructure in the U.S. and elsewhere, including Ukraine where a successful attack knocked out part of the power grid. The energy industry provides a good case study for examination of the cyber threat to critical infrastructure. According to a Ponemon Institute reportthree-quarters of energy companies and utilities have experienced at least one recent data breach.

Protecting industrial control systems used by utilities from both physical and cybersecurity threats is a component of the dynamic threat environment and response matrix that constitutes their security environments. During escalating events, like downed power lines, pipeline leaks, or cyber attacks, real-time on-the-scene intelligence and operational alarms to relay critical information to the appropriate response personnel are an essential part of that response matrix.

In an ecosystem of both physical and digital connectivity, there will be always be vulnerabilities, and a breach or failure could be catastrophic. In all cases of critical infrastructure protection, the requirements of situational awareness and the ability to safely access, alert and message principals and communities cannot be underestimated.

THE SECURITY CHALLENGE OF THE INTERNET OF THINGS AND SMART CITIES

When you think of security challenges, there are none quite as daunting as the Internet of Things (IoT). Cisco estimates that there will be around 50 billion devices and sensors connected to the Internet by 2020. The enormous amount of endpoints in the IoT ecosystem allows for hackers to exploit them in a variety of ways. The research firm Gartner predicts that by 2020, more than 25 percent of identified attacks in enterprises will involve IoT.

There are dire implications of having devices and networks so digitally interconnected. Last October, hackers attacked domain name service (DNS) provider Dyn, causing disruption to major components of the Internet’s infrastructure, and temporarily bringing down hundreds of websites. The breach was the result of a distributed denial-of-service (DDoS) attackthat sent millions of bytes of traffic to a single server to cause the system to shut down. The Dyn attack leveraged IoT devices, and some of the attacks were launched by common hardware like digital routers, webcams and video recorders infected with malware.

The DDoS cyber attack is an example of using a broad spectrum for a high profile and potentially deadly result. It is also a growing trend. DDoS attacks rose 71 percent between the third quarter of 2015 and the third quarter of 2016. The Internet was designed for ease of use and not with security purposes in mind. IoT’s system of endpoints and devices also allows for theft of data and ransomware installations (particularly frightening for hospitals using networks of medical devices and monitors).

Smart Cities are being developed as components of the universe of the IoT. The term “Smart City” connotes creating a public/private infrastructure to conduct activities that protect and secure citizens. The concept of Smart Cities integrates transportation, energy, water resources, waste collections, smart-building technologies, and security technologies and services. They are the cities of the future.

The functions and services of Smart Cities depend upon the secure networking of embedded sensors. These sensors can also be corrupted and breached like any digitally connected device and require strong cybersecurity software applications, hardware and protocols.

The more digitally interconnected we become in our work and personal lives, the more vulnerable we will become. Mitigating the cyber threats will grow as a priority and requires security awareness and that data be secure and reliable.

Protecting critical infrastructure and IoT/Safe Cities are just the beginning of security challenges as we adapt to the technological and cultural changes taking place in 2017 and onward. Every country, governmental jurisdiction, industry, company and individual has their own unique threat landscape to address. A security strategy based on the pillars of vigilance, readiness and resilience needs to be actualized against those threats. This is not only critical for risk management and incident response, but it is an imperative for mitigating harm in an increasingly connected and precarious world.

———————————————————————————————————-

 DCOI ATC (Air Traffic Control) Cyber Security Panel – “GHOST ATTACK” https://paulcsfi.wordpress.com/2015/05/01/dcoi-atc-air-traffic-control-cyber-security-panel-ghost-attack/

Panelists: Chuck Brooks, Innovation, Technology, Homeland Security, Government Relations

Tim Evans, Senior Advisor, Cyber Strategy & Policy; Johns Hopkins University

Ira Hoffman, Law and Policy Expert, Offit Kurman Attorney at Law

R. Admiral (ret.) Norman Hayes, Former Director of Intelligence, EUCOM (J-2)

———————————————————————————————————-

Creating A Secure Smart City

by Chuck Brooks, Guest Contributor

Qognify Blog https://www.qognify.com/blog/creating-secure-smart-city/

Creating a “Secure Smart City” requires a Private Public Partnership that incorporates people, policies, processes and technology from both government and industry into the overall strategy process. Smart Cities integrate transportation, energy, water resources, waste collections, smart-building technologies, and security technologies and services. The growing complexity and magnitude of risks requires an unprecedented level of collaboration between public and private stakeholders than ever before. Extending public/private sector working partnerships to physical and cyber threats to the critical infrastructure makes good sense.

Most of the urban critical infrastructure is owned by the private sector and regulated by the public sector. Because of that ownership factor, a Secure Smart City can only be really viable if it operates under the umbrella of a public/private a partnership.

Frost & Sullivan estimates the combined global market potential of smart city segments (transportation, healthcare, building, infrastructure, energy, governance) to be $1.5 Trillion ($20B by 2050 on sensors alone per Navigant Technology).

Keeping a smart city secure is a real challenge as the urban safety ecosystem of citizens can involve many scenarios and threats, including terrorism, crime, weather incidents, and natural disasters.

Maintaining a secure safe city entails creating a public/private infrastructure to conduct activities and provide technologies that protect and secure citizens.

This includes:

Building protocols between the public and private sectors for secure safe city is an essential priority for planning and accountability. Information sharing and interoperable communications are a first step in situational awareness. To understand and meet the changing threats, first responders, law enforcement, and government and civic leaders must collaborate, train together, and can talk to each other.

*A successful Safe City is one where Law Enforcements and Private Sector/Public collaborate

Another very difficult challenge is keeping up with the increasing sophistication of the threats. This is not an easy task and requires predictive incident mapping. Elements of that mapping include incorporating predictive analytics, establishing informed risk management planning, and implementing horizon network monitoring & diagnostics. Because we are now in a digital era, much of the planning can largely be automated via algorithms, artificial intelligence, and augmented by big data. In homeland security, many interesting applications of data analytics are being incorporated into government programs for case management situational awareness and mitigation. However, everything can be fallible and there still we always be a need for a human oversight factor.

Some of the interesting technology digital era trends impacting the transformation of smart cities include: automation, robotics, enabling nanotechnologies, artificial intelligence (human/computer interface), photovoltaics and printed electronics), wearables (flexible electronics) and information technologies such as real-time analytics and predictive analytics, super-computing, wireless networks, secure cloud computing, mobile devices, and virtualization.

*Drones – is this the future of Safe City Technology?

While primarily designed to facilitate citizen services, all these technologies also have smart city security applications. In ensuring public safety, mobile chemical and biological sensors can alert to CBRNE threats, and robotics can diffuse bombs. Sensors and embedded security systems, including surveillance cameras can monitor criminal behavior. A good example of these technologies was demonstrated back in 2005 in the city of London. Closed-circuit TV monitoring cameras helped lead to the identification of suspects who carried out the attack on London’s subway and bus systems Because of the limitations of personnel to constantly patrol areas of cities, surveillance by video and acoustic devices enabled law enforcement to extend and their reach. Now in 2016, most cities employ such monitoring systems.

As our cities grow more complex and interconnected by the Internet of Things, urban smart technologies are becoming more and more ubiquitous. Unfortunately, the threats are also growing and becoming more sophisticated. It is not enough for a city to be wired, accessible, and smart. Security is an imperative and the paradigm for the new “Secure Smart City” is rapidly evolving.

———————————————————————————————————-

THE PUBLIC/PRIVATE IMPERATIVE TO PROTECT THE GRID

by Chuck Brooks

The Public/Private Imperative to Protect the Grid

Last week, three high-powered flares erupted from the Sun in a single 24-hour period, emitting electro-magnetic energy particle toward Earth and throughout the Solar System. The flares were categorized as X-class flares, capable of inflicting damage to the electrical grid.

Also last week, a power station in Nogales, Arizona, was targeted for attack by a bomb and an incendiary device planted on a 50,000 gallon diesel tank. Thankfully, the attempt failed.

And last month, The Department of Homeland Security announced that a public utility in the US that was the target of a cyber-attack that compromised its control system network. Power companies use Supervisory Control and Data Acquisition (SCADA) networks to control their industrial systems and many of these SCADA networks need to be updated and hardened to meet growing cybersecurity threats.

In all three cases the electric grid was spared consequences that could have been devastating and disrupted power on a grand scale. The underlying reality that our electric grid infrastructure in extremely vulnerable, to physical, cyber, and forces of nature incidents. Public/Private collaboration is essential to preventing a next incident to the grid and a national catastrophe.

Protecting our grid is certainly a topic that keeps DHS, DOD and intelligence community planners up at night. The threats can be from Electronic Magnetic Pulse (EMP) generated from a geomagnetic solar flare or from a terrorist short range missile, cybersecurity attacks, or from a physical assault on utilities or power plants.

Because of recent incidents and the growing interdependence of our economy to the electrical grid, the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies held bi-partisan hearings addressing the threats and implications.

Testimony at the Hearings from Dr. Peter Prye, a member of the Congressional EMP Commission and executive director of the Task Force on National and Homeland Security, put the threats in frightening perspective: “Natural EMP from a geomagnetic super storm, like the 1859 Carrington Event or 1921 Railroad Storm, and nuclear EMP attack from terrorists or rogue states, as practiced by North Korea during the nuclear crisis of 2013, are both existential threats that could kill 9 of 10 Americans through starvation, disease and societal collapse.”

Dr.Prye also noted that “a natural EMP catastrophe or nuclear EMP event could black out the national electric grid for months or years and collapse all the other critical infrastructures — communications, transportation, banking and finance, food and water — necessary to sustain modern society and the lives of 310 million Americans. “

Rep. Trent Franks, R-Ariz., Chairman of the Congressional EMP Caucus, and considered the foremost expert on EMP in Congresshas introduced legislation (H.R. 3410) called the Critical Infrastructure Protection Act. The Act would enable the DHS to implement practical steps to protect the electric grid by training and mobilizing First Responders for possible EMP events.

Along with Franks and Dr. Peter Prye, several noted industry and policy experts including former CIA Director Jim Woolsey; Frank Gaffney a former deputy secretary of Defense and now president and CEO of the Center For Security Policy; and Michael Del Rosso, former chairman of the IEEE-USA Critical Infrastructure Protection Committee have been especially active in alerting the public to the critical need to find near-term solutions to protect the grid.

Private industry owns most of the nation’s critical infrastructure (communications, transportation, financial, healthcare) dependent on the grid. Finding solutions will require strong public/private sector partnering and collaboration in research, development, and proto-typing . That partnership must include an accelerated effort to fund and design new technologies to protect the utilities from natural or man-made electromagnetic surges; further harden hardware and software in SCADA networks from cyber-attack,; and provide enhanced physical security for the grid.

Helping reduce the vulnerability of the grid has become a national imperative and the clock is ticking

——————————————————————————————————-

Digital Convergence and Cybersecurity

by Chuck Brooks

https://www.alienvault.com/blogs/security-essentials/digital-convergence-and-cybersecurity

We live in a world of digital convergence. Our banking accounts, credit cards, and financial daily activities are interconnected. Our interpersonal communications are more often than not via smartphones at social media apps. Our records, including personal medical histories, are all digitized and shared. We now conduct our daily lives in a world of algorithms.

Because of this expanding interconnectivity and digital commerce, there are security and privacy implications. We have also become increasingly vulnerable from hackers, phishers, and malware proliferating across all commercial verticals. Malware, viruses, and a nefarious trend of ransomware that impact our digital interface are becoming the norm.

In the past year alone hundreds of millions of private records from retail corporations, internet companies, and banks have been exposed. In government, most visibly as a result of the Office of Personnel management breach, millions of confidential records of employees were compromised. Recently, it was disclosed that 360 million records from MySpace were stolen in a breach.

There is a growing understanding of the seriousness and sophistication of the threats, especially denial of service attacks that can take entire ecosystem down. The list of adversarial actors is a large one that includes states, organized crime, terrorists, and loosely affiliated hackers. The recent cycle of major industry and governmental cyber breaches is emblematic of growing risk. The implications of the vulnerabilities can be severe. Former Department of Homeland Security (DHS) Secretary Hon. Tom Ridge noted that “a few lines of code can wreak more havoc than a bomb.”

Both government and the private sector have prioritized critical infrastructure as the primary focus of threat and response. Notably, 85% of the World Wide Web and most of the world’s critical infrastructure is owned and operated by private sector companies. Last year, DHS tracked more than 200,000 cyber incidents involving critical infrastructure in the United States. All critical infrastructure, including the electric grid, healthcare, transportation, communications, and financial networks are vulnerable and have been subject to cyber-attacks.

Digital convergence also requires a convergence in cybersecurity defenses and the development of next-gen cyber tools that include predictive security and analytics. Also, capabilities in information sharing, hardware, software, training and protocols must improve to be able to mitigate the multitude of potential hostile digital activities. Areas of identity risk management, including strong password protection, combined with biometrics authentication, require heightened attention and investment. And industry and government need to further discuss scenarios and establish working protocols and coordinated responses in regard to confronting the evolving threat matrix. Recent Congressional legislation has prodded the information sharing process along in 2016.

The digital convergence really has become a digital fusion. As all our devices and activities in our lives become more connected, cybersecurity will likely be the core digital factor that keeps us safe into the future.

—————————————————————————————————–

Critical Infrastructure Cybersecurity – Center Stage A Decade After The 9/11 Commission Report

by Charles Brooks, Featured Contributor

Critical Infrastructure Cybersecurity – Center Stage A Decade After The 9/11 Commission Report

AT THE RECENT 2014 Aspen Ideas Festival, former 9/11 Commission Chairman and Governor of New Jersey, Tom Kean, noted that cybersecurity has exponentially grown as a threat since the original 9/11 Commission Report was issued.

The Governor is right–much has changed in the last decade. While dire terrorism threats remain, cyberterrorism and cybercrime have elevated as persistent, sophisticated, and dangerous threats to security and commerce.

The new reality is that almost all of our critical infrastructures operate in a digital environment, including the health care, transportation, communications, financial, and energy industries. While the information technology landscape has greatly evolved, so have the vulnerabilities. Ten years after 9/11 we are all reliant on the Internet’s connectivity for vital human services in almost every aspect of our daily lives.

In addition to its primary role in combating terrorism, the Department of Homeland Security (DHS) has assumed the lead civilian agency role in government for addressing cybersecurity. The agency’s role has evolved in correlation with the growing and complex threat, especially to the critical infrastructure.

Developments in the last few years have shaped DHS’s policy role. In July of 2010, The Office of Management and Budget (OMB) designated DHS with the primary responsibilities of overseeing the federal-wide information security program and evaluating its compliance with the Federal Information Security Management Act (FISMA) of 2002. As a result, DHS became responsible for overseeing the protection of the .gov domain and also for detecting and responding to malicious activities and potential threats. DHS was also charged with annually reviewing the cyber security programs of all federal departments and agencies.

In October of 2012, President Obama issued an Executive Order further delineating DHS’s increased cybersecurity role toward developing standards and enhancing information sharing with critical infrastructure owners and operators. The Executive Order was aimed at identifying vulnerabilities, ensuring security, and integrating resilience in the public/private cyber ecosystem and had three areas of major focus: 1) Increase information sharing with the private sector, including classified cyber threat data; 2) Create a voluntary framework based on industry best practices to improve the cybersecurity of critical infrastructure providers; and 3) Protect privacy and civil liberties throughout the sharing and framework. DHS created eight working groups to implement the Executive Order.

Since most of the critical infrastructure in the US is owned and operated by the private sector, DHS recognized the importance for private sector input into cybersecurity strategies and requirements across industry verticals. The Council on Cybersecurity has played a key role in facilitating this dialogue.

Last year, The Council on CyberSecurity formed a 20 Critical Security Controls list with collaboration between the public and private sectors that provides an emerging framework toward protecting the critical infrastructure. The list is a recommended set of actions for cyber defense that provides specific and actionable ways to stop today’s most pervasive attacks. They were developed and are maintained by a consortium of hundreds of security experts from across the public and private sectors. An underlying theme of the Controls is support for large-scale, standards-based security automation for the management of cyber defenses.

Governor Kean and members of the 9/11 Commission also recognized that DHS and the public need to be proactive rather than reactive to cyber-attacks against sensitive networks. The public and executive management in industry need to be educated on the threats and share information and protocols with the government to mitigate cyber threats to critical infrastructure. The Council on CyberSecurity’s important work in the cyber domain and especially on Critical Security Controls can be a guiding path to making the homeland more secure and resilient in the next decade to the growing cybersecurity threat.

——————————————————————————————————

Chuck Brooks is President of Brooks Consulting International. In both 2017 and 2016, he was named “Cybersecurity Marketer of the Year by the Cybersecurity Excellence Awards. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn” out of their 500 million members. Chuck’s professional industry affiliations include being the Chairman of CompTIA’s New and Emerging Technology Committee, and as a member of The AFCEA Cybersecurity Committee. In government, Chuck has served at The Department of Homeland Security (DHS) as the first Legislative Director of The Science & Technology Directorate at the Department of Homeland Security. He served as a top Advisor to the late Senator Arlen Specter on Capitol Hill covering security and technology issues on Capitol Hill.  In academia, Chuck was an Adjunct Faculty Member at Johns Hopkins University where he taught a graduate course on homeland security for two years. He has an MA in International relations from the University of Chicago, a BA in Political Science from DePauw University, and a Certificate in International Law from The Hague Academy of International Law.

Comments are closed.