Intelligence Sharing Partnerships Are Needed to Improve Critical Infrastructure Cybersecurity

A new survey of top IT executives reconfirms the findings from other recent cybersecurity studies regarding the online defense at utilities and other vitally important public- and private-sector organizations. The report outlines what is good and what needs improvement in our online defense of critical infrastructure facilities.

by / August 9, 2015

Grand Coulee Dam

Credit: Shutterstock/Matt Ragen 

A new Aspen Institute and Intel Security sponsored survey found that, while optimism in online security protections is up, the threat level of cyberattacks has also escalated. One top finding: 86 percent of respondents see a need for improving public-private threat intelligence sharing partnerships.

The report focused on critical infrastructure organizations in France, Germany, the United Kingdom and the United States. You can read the eight-page PDF version of the survey results for free at this link:Critical Infrastructure Readiness Report: Holding the Line Against Cyberthreats.

Here are the top five findings from the executive summary (along with a brief description of the item, where needed):

Finding 1: Disconnect or overconfidence

Even though major data breaches make regular headlines, many executives surveyed rated their organization’s defenses good to excellent, possibly from overconfidence or misplaced faith in their capabilities to effectively respond to an attack, based on Intel Security threat reports.

Finding 2: Threats and confidence both on the rise

Finding 3: Favorable to cooperation

More than three quarters of executives believe it is important to increase cooperation among organizations and with their own governments to counter cyberthreats.

Finding 4: Serious cyberattack believed likely

Finding 5: BYOD a non-factor, humans still the weakest link

Few executives believe that the proliferation of personal devices at work is a prime cause of cyberattacks, despite the priority assigned to bring-your-own device issues (BYOD) by cybersecurity companies. Respondents believe user error, not software or device failure, is the leading cause of security breaches.

Report Analysis

In my view this report is well done and worth reading. I found the first finding to be very intriguing, with destructive cyberthreats rising dramatically at the same time executive confidence in protections is rising. These results show either naiveté or remarkable faith in one’s cyberteam – at a time when new data breaches are reported in our headlines almost daily.

We are now eighteen months after the president’s executive order on protecting critical infrastructure cybersecurity, along with the release of the latest cybersecurity framework. It is important that we keep checking back to see how things are progressing.

I like several of the coverage pieces from the wider cybersecurity community on this report. This Marketwatch.com story highlighted the challenges still before us that are highlighted in the survey:

  •      Perceived Improvements: Respondents believe their own vulnerability to cyberattacks has decreased over the last three years. When asked to evaluate their security posture in retrospect, 50% reported that they would have considered their organizations “very or extremely” vulnerable three years ago; by comparison, only 27% believe that their organizations are currently “very or extremely” vulnerable.
  •        Government Involvement Encouraged: Private industry is often hesitant when it comes to government’s involvement in private sector business; however, 86% of respondents believe that cooperation between the public and private sectors on infrastructure protection is critical to successful cyber defense. Furthermore, 68% of respondents believe their own government can be a valuable and respectful partner in cybersecurity.
  •       Confidence in Current Solutions: Sixty-four percent believe an attack resulting in fatalities has not happened yet because good IT security is already in place. Correspondingly, more than four in five are satisfied or extremely satisfied with the performance of their own security tools such as endpoint protection (84%), network firewalls (84%), and secure web gateways (85%).
  •       Disruptions Increasing: More than 70% of respondents think the cybersecurity threat level in their organization is escalating. Around nine in ten (89%) respondents experienced at least one attack on a system within their organization, which they deemed secure, over the past three years, with a median of close to 20 attacks per year. Fifty-nine percent of respondents stated that at least one of these attacks resulted in physical damage….

Steve Grobman, who is the chief technology officer for Intel Security Group, summarized the report under these three popular groupings for Dark Reading.

  •               The good news: no catastrophic loss of life and an improved confidence in critical infrastructure cyber security postures
  •               The bad news: cyber-attacks are real, increasing, and capable of real, substantive damage to our critical infrastructure
  •               The potentially ugly: attacks are likely to become fatal and could escalate from the digital to physical realms.

I also like this Cruxialcio.com summary of what a destructive attack might look like, if it happens:

“Many cities are also dependent on power service to maintain safe upkeep of homes, residential buildings, and business establishments. Most building heaters are powered by electricity, and so are many other environment controllers.

While it is still not likely that deaths could result from cyber attacks in the present time, this possibility looms in the future as more and more cities are starting to be dependent on computer systems to run. This means that cyber security professionals and companies must be twice as vigilant to prevent these incidents from occurring.”

Different Surveys on Critical Infrastructure Yield Similar Findings

Back in April, as similar report which focused on North and South America was released by Trend Micro and the Organization of American States (OAS). That report also showed a dramatic increase in cyberattacks directed against critical infrastructure owners and operators. You can read a summary of those OAS findings on hacking critical infrastructure here.

Another recent example comes from this Columbia University panel discussion on critical infrastructure cybersecurity from May 2015.

This CSPAN video from the Aspen Institute July conference 2015 on recent data breaches is worth watching http://www.c-span.org/video/?327112-6/discussion-cybersecurity

You can also learn more about the Aspen Institute and watch related sessions on global security at this website.

Summary

In this report, respondents from the transportation and energy sectors were more likely than their counterparts in other sectors to deem the possibility of a dangerous attack to be “likely or highly likely.” I find that result to be concerning.

Also, more than 70 percent of respondents think the threat to their organizations is escalating. Almost nine out of 10 experienced at least one attack in the last three years that caused some damage, disruption, or data loss, with a median of close to 20 attacks per year. Forty-eight percent believe it likely to extremely likely that a critical infrastructure cyberattack will result in human fatalities in the next three years.

What’s the bottom line from this report and the similar reports from similar reports this year?

If you haven’t already done so: Act now on cyberthreats to critical infrastructure under your control – and especially building new trusted relationships with others.

The cyberthreat is real and growing – and our sharing of threat intelligence must grow as well – along with new public-private partnerships on critical infrastructure protection. 

Dan Lohrmann Chief Security Officer & Chief Strategist at Security Mentor Inc.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.

During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.

He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.

He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.

Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.

He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.

Follow Lohrmann on Twitter at: @govcso