April 2017 Digital Edition

Click Here

March 2017 Digital Edition

Click Here

Feb. 2017 Digital Edition

Click Here

January 2017 Digital Edition

Click Here

Nov/Dec 2016 Digital Edition

Click Here

Oct 2016 Digital Edition

Click Here

Technology Sectors

Market Sectors

Thoughts on President Obama’s executive order on improving critical infrastructure cyber security

Michael Angelo

Over the past few years, the president of the United States has worked to remediate issues within the cyber infrastructure. The most recent executive order is yet another attempt to preempt potential disaster by mitigating underlying critical infrastructure issues.

The most interesting section aims to reduce cyber risk to critical infrastructure. Essentially, it says that NIST will develop a framework to reduce cyber risks by incorporating voluntary international standards, as applicable. Additionally, the cyber security framework (CSF) will provide a prioritized/flexible/repeatable/cost-effective approach to help identify, assess and manage cyber risks.

The order also calls for the identification of critical infrastructure at risk, requiring an ongoing assessment of various areas to determine which may prevent the greatest risk.

While reading this, I reflected on three things I was told while growing up: Don’t talk to strangers; Don’t take gifts (candy) from strangers; and Don’t talk about your private business with people that are not involved in it.   

So what does this have to do with the executive order? 

Stranger danger

The Internet is a world of strangers. We don’t know who is on it, what they are doing, or what they want to do (intentionally or unintentionally.) Do we really need to expose critical infrastructure segments to the Internet? Are there sub-segments that we need to expose that might be not as critical?

Not all elements of critical infrastructure are always “critical.” For example, if we look at the nuclear power segment, the accounts receivable element may not be critical, but coolant system controls are. Unless we can make this assessment, perhaps we should not put it on the Internet. Simply put: We shouldn’t talk to strangers.

Keep away from strangers with candy

Candy or gifts can take many forms in today’s digital world: Advanced Persistent Threats or Spear phishing are the digital world’s candy and gifts. These gifts can be delivered via email, as attachments, and raise the question of why email (in a critical infrastructure) should be allowed from a non-secure environment to a secure environment. This thinking shouldn’t stop with email; it should also include Internet surfing.

At the end of the day, we should not allow critical infrastructure systems to get digital candy from strangers -- at the very least, we should not let strangers close enough to offer us candy at all.

What happens at home stays at home

While growing up, I learned not to let people know when you weren’t home, in order to avoid being burglarized. With that in mind, is it so important for critical infrastructure elements to have their details on the Internet? Shortly after 911, I discovered a number of water plants and power stations on the Internet. These facilities allowed one to look at how much water/electricity flowed, where it was going, and what type of plant it was. This information could be used for a physical attack, or even a digital attack -- can you say DDoS? Public availability of a critical infrastructure segment may or may not lead to new disasters, but why wait to find out?

I find that these three rules apply not only to the world we live in, but the Internet as well. We need to realize that the Internet is by nature not a safe place. Bad things happen, and while we can always seek recourse, it is easier to prevent bad occurrences, rather than have to clean up afterwards. So, the real question is: “Why are we allowing the critical infrastructure to connect to the Internet?”

Perhaps our parents were right and we should apply their old rules to critical infrastructure on the Internet.

 

Michael F. Angelo is Chief Security Architect for NetIQ. He can be reached at:

[email protected]

 

Recent Videos

HID Global is opening the door to a new era of security and convenience.  Powered by Seos technology, the HID Mobile Access solution delivers a more secure and convenient way to open doors and gates, access networks and services, and make cashless payments using phones and other mobile devices. ...
Mobile device forensics can make a difference in many investigations, but you need training that teaches you how to get the most out of your mobile forensics hardware and software, and certifies you to testify in court. Read this white paper to learn how to evaluate mobile forensics training...
PureTech Systems is a software company that develops and markets PureActiv, its geospatial analytics solution designed to protect critical perimeters and infrastructure.  Its patented video analytics leverage thermal cameras, radars and other perimeter sensors to detect, geo-locate, classify, and...
PureTech Systems is a technology leader in the use of geospatial video, focusing on perimeter security.  When combining geospatial capabilities with video analytics and PTZ camera control, managers of critical facilities can benefit by allowing the video management system to aid them in the process...