Reflession on the necessity to adopt a shared regulatory for the security of critical infrastructure. Eugene Kaspersky point of view on the topic.

Security of critical infrastructure is a critical urgency of any government, the NIST announced the Framework for Improving Critical Infrastructure Security, a document that proposed cybersecurity standards and practices to build out a security program.

The cybersecurity framework for critical infrastructure proposed by the US Government is a “living document” to improve internal security of the structures in the country. Security industry has observed in the last years that the number of high-profile attacks such as Stuxnet and Shamoon has reached unprecedented levels, alerting politicians and Intelligence agencies on the possible risks related to a cyber offensive against these vital systems.

Utilities, transportation systems, telecommunication systems, power grids, are just some example of critical environment where networks and infrastructure use arcane software not aligned with modern requirements in term of security.

c1

Kaspersky, the CEO of Kaspersky Lab, expressed during an interview at the last KAspersky Cyber Security Summit many doubts about the methods pursued to date, he is skeptical about any international effort to develop global recognized standards.

“I vote for less regulation in technology and innovation,” “The older I am, the less and less I believe in international projects. Let the nations do it themselves, and they can be an example for the rest of the world. I think the United States will be first and then the rest of the world can copy and paste.” he said.

Eugene Kaspersky is stressing security industry for a long time alerting on the possible risks of a major attack on a critical infrastructure, but he is convinced that there is too much still to do to address the growing cyber threats.

Kaspersky is convinced that assigning to each government the responsibility for definition of necessary countermeasures to mitigate cyber threats will help to create the condition for a healthy competition that could give rise to innovative projects.

“If you have many competing companies there’s much more chance that one of these will come up with something innovative. I vote for competition. I believe in a world that has independent and competing businesses,” “There’s a much better chance that the right answer will be found much faster.”  Kasperky said.

The software running on computers within critical infrastructure in many cases lacks of security by design, and haven’t been subjected to any kind of security testing. To give you an example consider that during the last S4x14 Conference in Miami, Luigi Auriemma of ReVuln disclosed a serious vulnerability in HMI software. The team of researchers at ReVuln discovered a buffer overflow vulnerability in the company’s IntegraXor Web-based HMI software, a software designed by the Malaysian SCADA company Ecava.

We must consider that despite we all agree on the risks related to a possible attack against critical infrastructure, there’s still a lot of disagreement in the industry about the terms used to qualify these critical systems.

Contrary to Kaspersky’s thought to leave each government the responsibility of its infrastructure, policymakers and politics led to calls for regulation and standardization for security. It is an hard challenge, each actor involved in the creation of standards and regulations must be properly recognized.

As remarked by ThreatPost, one of the principal problems related to security of SCADA and critical infrastructure is that the majority of them is owned and managed by private companies.

“The government has no critical infrastructure of its own. It relies on the private sector for that, and when it goes down, the government goes down,” “National security and economic security are intertwined.” said Tom Ridge, the former secretary of the Department of Homeland Security and former governor of Pennsylvania.

Which are privileged targets for cybercriminals and state-sponsored hackers?

Kaspersky confirmed that US infrastructure is at the top of the target list for hackers.

“It’s very difficult to compare who is better protected. The U.S. is the most developed IT country in the world,”“It has many more SCADA systems than any other country, so the U.S. is the biggest target. But it also has the most resources. So which nation is better protected, the one with all of the systems and resources or the one with fewer systems and is a smaller target?”  he said. 

I also remark that it is quite easy to find online information and tools necessary for an attack against SCADA systems, let’s think for example of the simplicity to find online SCADA components through the Shodan search engine. Once identified the targets the next step is to choose the weapons and the underground offer a huge collection of exploits to hit the targets.

“Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property,” “Although the threats are serious and they constantly evolve, I believe that if we address them effectively, we can ensure that the Internet remains an engine for economic growth and a platform for the free exchange of ideas.” are the words used by President Obama to describe the critic of the topic.

Time is running out …. cyber security for critical infrastructure is a must!

Pierluigi Paganini

(Editor-In-Chief, CDM)

rsa-logo