IDC report – Executives need to act

Nov. 18, 2008
I wanted to provide my insights on the IDC white paper: Critical Infrastructure Cybersecurity: Survey Findings and Analysis.
I wanted to provide my insights on the IDC white paper: Critical Infrastructure Cybersecurity: Survey Findings and Analysis. It provides findings and analysis of a survey of 199 responders conducted by Secure Computing regarding critical infrastructure cyber securityThe inaccuracies and inconsistencies I point out are not with the Secure Computing survey, but with the IDC analysis and interpretation of the results that are presented in the report.   “Finally, the survey respondents were asked what they believed was the biggest bottleneck to critical infrastructure security. The largest number of respondents believed that cost was the biggest bottleneck.  Apathy was cited as the second biggest bottleneck.  Government bureaucracy and internal issues were tied for the third biggest bottleneck. Interestingly, the lack of available technology and the complexity of the problem were the last two bottlenecks cited by the respondents.  - From my experience, this is wrong! In all industries, the greatest bottleneck is senior management not recognizing control system cyber security is a critical issue. Fix that as some of the oil/gas and chemical companies have and most of the implementation issues will go away. Also, industrial control system security requires a merging of thought and talent from Operations, IT, and management.  It could be that respondents to the survey provided the answers from their own lens, one of the three areas, and that a merged response would reflect more of a direction that management can control.  I believe we will see more management buy-in and understanding in the coming months, driven by awareness and certainly by regulation. “Types of threats – the report indicates that Malware was 28.8%, Phishing was 18.3%, Data Loss Prevention was 19.4%, Insider was 17.7%, and Crime was 15.7%.” - These appear to be legitimate numbers for IT, but have little relevance to control system cyber incidents. Since when does Phishing affect PLCs or other legacy control system field devices? “Over 50% of the respondents stated that critical infrastructure had already been attacked.” If 50% of North American responders are serious that their critical infrastructure has already been attacked, how can they be doing so little and ignoring so much? Additionally, if these are IT-type attacks, how can the security be so ineffective? The protection of our most critical assets requires understanding and merging of core technologies and corporate groups.  In some ways, the organization chart must all participate and this requires direction from the top.  We are making progress, but not fast enough, and hopefully information in the survey, report and herein will serve as a further catalyst.  The Secure Computing survey results are similar to those conducted by Trusted Network Technologies in 2006 where 50 North American utilities were surveyed and 20% said their SCADA systems had already been compromised and 67% claimed total SCADA awareness. Obviously, something is amiss. There is a need to take swift and careful action, because we really are that unsecure.  There has been enough talk, it is time for executives to act.Joe Weiss