April 2017 Digital Edition
March 2017 Digital Edition
Feb. 2017 Digital Edition
January 2017 Digital Edition
Nov/Dec 2016 Digital Edition
Oct 2016 Digital Edition
Thoughts on President Obama’s executive order on improving critical infrastructure cyber security
Over the past few years, the president of the United States has worked to remediate issues within the cyber infrastructure. The most recent executive order is yet another attempt to preempt potential disaster by mitigating underlying critical infrastructure issues.
The most interesting section aims to reduce cyber risk to critical infrastructure. Essentially, it says that NIST will develop a framework to reduce cyber risks by incorporating voluntary international standards, as applicable. Additionally, the cyber security framework (CSF) will provide a prioritized/flexible/repeatable/cost-effective approach to help identify, assess and manage cyber risks.
The order also calls for the identification of critical infrastructure at risk, requiring an ongoing assessment of various areas to determine which may prevent the greatest risk.
While reading this, I reflected on three things I was told while growing up: Don’t talk to strangers; Don’t take gifts (candy) from strangers; and Don’t talk about your private business with people that are not involved in it.
So what does this have to do with the executive order?
The Internet is a world of strangers. We don’t know who is on it, what they are doing, or what they want to do (intentionally or unintentionally.) Do we really need to expose critical infrastructure segments to the Internet? Are there sub-segments that we need to expose that might be not as critical?
Not all elements of critical infrastructure are always “critical.” For example, if we look at the nuclear power segment, the accounts receivable element may not be critical, but coolant system controls are. Unless we can make this assessment, perhaps we should not put it on the Internet. Simply put: We shouldn’t talk to strangers.
Keep away from strangers with candy
Candy or gifts can take many forms in today’s digital world: Advanced Persistent Threats or Spear phishing are the digital world’s candy and gifts. These gifts can be delivered via email, as attachments, and raise the question of why email (in a critical infrastructure) should be allowed from a non-secure environment to a secure environment. This thinking shouldn’t stop with email; it should also include Internet surfing.
At the end of the day, we should not allow critical infrastructure systems to get digital candy from strangers -- at the very least, we should not let strangers close enough to offer us candy at all.
What happens at home stays at home
While growing up, I learned not to let people know when you weren’t home, in order to avoid being burglarized. With that in mind, is it so important for critical infrastructure elements to have their details on the Internet? Shortly after 911, I discovered a number of water plants and power stations on the Internet. These facilities allowed one to look at how much water/electricity flowed, where it was going, and what type of plant it was. This information could be used for a physical attack, or even a digital attack -- can you say DDoS? Public availability of a critical infrastructure segment may or may not lead to new disasters, but why wait to find out?
I find that these three rules apply not only to the world we live in, but the Internet as well. We need to realize that the Internet is by nature not a safe place. Bad things happen, and while we can always seek recourse, it is easier to prevent bad occurrences, rather than have to clean up afterwards. So, the real question is: “Why are we allowing the critical infrastructure to connect to the Internet?”
Perhaps our parents were right and we should apply their old rules to critical infrastructure on the Internet.
Michael F. Angelo is Chief Security Architect for NetIQ. He can be reached at: