By Michael Peters1
A recent GAO report [GAO-10-628, Critical Infrastructure Protection Key Private and Public Cyber Expectations Need to Be Consistently Addressed, www.gao.gov/products/GAO-10-628 ] reveals that a key expectation from industry was for actionable cyber threat information from the federal government. The dissemination of this tactical level of information [See sidebar "Threat" Versus "Tactical" Information] has not been completely met. Because of this lack of information, a company may choose not to implement cybersecurity defenses because it feels there is no threat. I believe this reliance on tactical threat information is a false interpretation of the environment and is a major impediment to securing our critical infrastructures from attack.
I do not believe this tactical level of information is necessary for a critical infrastructure company to implement cybersecurity defenses. The federal government has provided strategic- level cyber threat information to the various critical infrastructures, and this type of information sharing can easily continue, as the strategic threat is the information that the government most likely will be able to acquire and distribute.
However, even this level of threat information really isn't necessary in order to justify and implement cybersecurity defenses. Many threat actors exist today that can impact the security of a control system. If these adversaries are successful in gaining access to the control system, they then can manipulate the control system and wreak havoc on the devices and the processes the control system is overseeing and, therefore, impact the reliability of the operation. These adversaries range from the traditional hacker to the criminal, disgruntled insider or terrorist to the nation-state adversary. All of these adversaries have a range of capabilities and intents, though the common assumption is that the nation-state is the most technically sophisticated, and the hacker the least. In addition, many of these adversaries are capable of very structured as well as unstructured operations. What is crucial here is that the level of sophistication, structure, capabilities, etc., varies for all of the adversary types. So while many feel that hackers are the least sophisticated, least structured and least capable, quite a few are highly sophisticated, highly structured and highly capable. By the same token, a few nation-states are not very sophisticated, not very structured and overall not very capable. A security professional should never fall into the trap of assuming that a specific type of adversary has "specific" traits.
Understanding these adversaries and determining their capabilities and intents is a very difficult problem and often results in less-than-complete information. And it is this information that forms the basis of the threat leg of the traditional risk equation of Risk = Threat x Vulnerability x Consequences. This lack of information often results in reducing the perceived risk to the system. However, what every critical infrastructure company should assume is that at some point in time one or more of these adversaries will attack them. In my opinion, critical infrastructure companies should assume that the threat level is "1" (i.e., that a viable cyber threat to their control systems exists). Because in reality, what threat actor attacks them is immaterial, as the company and its customers should not and do not care what adversary has successfully exploited the system. All they care about is that the system has been exploited, and the services/products that the company provides and the customer desires are not available.
Now a frequent counter-argument raised by the critical infrastructure companies is that they can't afford to address everything, and without this threat information, they don't know what to spend their resources on to fix. While I agree that their resources are limited, and they can't address everything, I believe that there is a better way of determining where to spend their scarce cybersecurity dollars rather than waiting for tactical cyber threat information that they may not receive and would probably be constantly changing even if it were readily available.
Two Ways of Looking at Things
I think critical infrastructure companies should examine themselves from two main perspectives and not rely on threat information. The first perspective is most directly tied to the mission of the company, whether it is providing electricity, making potable water, refining gasoline or manufacturing a television, etc. One recommendation I make is that companies should create tiger teams of specialists, including their most knowledgeable operators, control system experts and IT personnel, and charge them with the task of developing scenarios for causing the most harm, destruction or danger to company personnel or to the public. These individuals have the most detailed intimate knowledge of the company's systems and processes, and they will often know exactly how to cause the most damage to the company's operations. They then can build on this knowledge and determine how to best mitigate the attack vectors that they developed.
The second perspective is from a traditional vulnerability assessment/evaluation arena. The critical infrastructure companies need to examine their systems looking for vulnerabilities. They then need to determine the consequences/impacts to the company's operations and to their customers of a successful exploitation of the vulnerability. They need to determine the capabilities that are necessary in order to successfully exploit the vulnerability and cause the identified consequences. Then the last facts that should be determined are whether the capabilities needed to successfully exploit the vulnerability currently exist, and whether these capabilities are easy to use. Finally, the company needs to determine how to mitigate the vulnerability identified and to minimize the impact of a successful exploitation. The company should also answer all of these questions for the scenarios developed by its internal tiger team.