Like most forms of evil, cyber security threats do best under a cloak of silence. The fewer people who know about a threat, the more it can spread unhindered. By contrast, widespread information sharing about threats can help defenders prepare for a threat and minimize impact. But how to gather all that information in one place and get it to the people who need it?
That’s where the Industrial Control Systems Information Sharing and Analysis Center (ICS-ISAC) comes in. ISACs already exist for a number of specific industries such as information technology, financial services, and yes, even the electricity sector. But ICSs cut across many industries, such as energy, transportation, manufacturing, and utilities. These industries are served by a common set of vendors with a common set of products. So a vulnerability in one vendor’s product line could spell danger for many industries. The mission of ICS-ISAC is to spread those messages across industries.
ICS-ISAC held its first conference in September in Atlanta. As cyber security conferences go, it was a breath of fresh air. Although many of the usual suspects (like me) attended, the topics were anything but the usual fare. Rather than a parade of vendor presentations, this conference was nonstop panel discussion on cyber security topics that utilities actually think about: situational awareness, workforce development, cyber insurance, establishing facility inventory, and organizational identity.
The session on building a cyber security workforce was fascinating. Schools and industry want to make cyber security a cool career choice to attract more students to the profession. Could we even entice professionals to make a mid-career change to cyber security? There is a desperate shortage of qualified cyber security experts – those who can tell a utility in practical terms what security it needs. One penetration testing firm has expanded its services from remote software testing to putting on hard hats and walking around substation yards to understand the threats facing its clients. That requires substantially more staff than running penetration tests from a remote office.
Into the Light
There were speakers from Qatar and the Czech Republic at the September conference, describing their national computer emergency response teams (CERTs). Both countries had been subjected to full-scale attacks upon their national infrastructure: Qatar in 2012 and the Czech Republic in 2013. Both have passed laws to identify their critical national infrastructure, and each now has a single response center in place to defend their infrastructures. While a large nation like the United States might require more than a single response center, the concept of having the entire national infrastructure covered by incident response is a desirable state.
The key role of ISCs centers around communication. For any organization to share the attacks it has endured, especially successful attacks, is an act of immense will. But without that sharing, the infrastructure as a whole remains in the dark. Members of ICS-ISAC are committed to break out of this protectionist mindset and share the information that will help the entire infrastructure defend itself.
The right security solutions exist and must be deployed. On top of that, let us all communicate openly so that the serious threats are exposed to the light of day before they can wreak havoc.