Do Firms Expect Too Much Cyber Threat Data?

By Michael Peters, Infrastructure and Cybersecurity Advisor

A recent U.S. General Accounting Office (GAO) report [GAO-10-628, "Critical Infrastructure Protection Key Private and Public Cyber Expectations Need to Be Consistently Addressed," www.gao.gov/products/GAO-10-628 ] reveals that a key expectation from industry is for actionable cyber-threat information from the federal government.

The dissemination of this tactical level of information has not been completely met (see "Threat" vs. "Tactical" Information). Because of this lack of information, a company may choose not to implement cybersecurity defenses because it feels there is no threat. I believe this reliance on tactical threat information is a false interpretation of the environment, and is a major impediment to securing our critical infrastructures from attack.

I do not believe this tactical level of information is necessary for a critical infrastructure company to implement cybersecurity defenses. The federal government has provided strategic-level, cyber-threat information to the various critical infrastructures, and this type of information sharing can easily continue because the strategic threat is the information that the government most likely will be able to acquire and distribute.

However, even this level of threat information really isn't necessary in order to justify and implement cybersecurity defenses. Many threat actors exist today that can impact the security of a control system—traditional hackers, criminals, disgruntled insiders, terrorists and nation-states. All of them have a range of capabilities and intents, though the common assumption is that the nation-state is the most technically sophisticated, and the hacker is the least. Many of these adversaries are capable of very structured as well as unstructured operations. What is crucial is that the level of sophistication, structure and capabilities varies for all the adversary types. A security professional should never assume that a specific type of adversary has "specific" traits.

Wobbly Threat Leg?

Understanding these adversaries and determining their capabilities and intents is a very difficult problem and often results in less-than-complete information. However, this information forms the basis of the "threat leg" of the traditional risk equation: Risk = Threat x Vulnerability x Consequences. This lack of information often results in reducing the perceived risk to the system. However, what every critical infrastructure company should assume is that one or more of these adversaries eventually will attack them. Critical infrastructure companies should assume that the threat level is "1," meaning a viable cyber threat to their control systems exists. What threat actor attacks them is immaterial.  What  companies and their customers should care about is that their system has been exploited, and the services/products that the company provides are not available.

Now, a frequent counter-argument raised by the critical infrastructure companies is that they can't afford to address everything, and that, without this threat information they don't know what to fix and how to spend their resources. While this is true, I believe that there is a better way of determining where to spend scarce cybersecurity dollars than waiting for tactical cyber-threat information that they may not receive and would probably be constantly changing, even if it were readily available.

Two Security Perspectives

I think critical infrastructure companies should examine themselves from two main perspectives, and not rely on threat information.

The first is most directly tied to the mission of the company, whether it is providing electricity, making potable water, refining gasoline or manufacturing televisions, etc. Companies create "tiger teams" of specialists, including their most knowledgeable operators, control system experts and IT personnel, and charge them with the task of developing scenarios for causing the most harm, destruction or danger to company personnel or to the public. These people have detailed intimate knowledge of the company's systems and processes, and they will often know exactly how to cause the most damage to operations. They can build on this knowledge and determine how to best mitigate the attack vectors that they developed.

The second perspective is from a traditional vulnerability assessment/evaluation arena. Critical infrastructure companies need to examine their systems looking for vulnerabilities; determine the consequences/impacts to the company's operations of a successful exploitation of the vulnerability; determine the capabilities that are necessary to successfully exploit the vulnerability and cause the identified consequences; determine whether the capabilities needed to successfully exploit the vulnerability currently exist, and whether these capabilities are easy to use; and finally, tdetermine how to mitigate the vulnerability identified and to minimize the impact of a successful exploitation. The company should also answer all of these questions for the scenarios developed by its internal tiger team.

“Critical infrastructure companies should assume that the threat level is "1," meaning a viable cyber threat to their control systems exists. ”

Now the company can prioritize what it fixes by working through the results of the above analysis. Vulnerabilities with high/major impacts, where the capabilities to successfully exploit currently exist and are easy to use, should be fixed first.

The overall goal is to improve the security of the system, and the above methodology only uses the vulnerabilities and consequences—information that is most likely known—rather than needing threat information which is typically unknown. (This is information that is definitely unknown at the tactical level and often considered not detailed enough at the strategic level.)