US Not Ready for Cyber Attack – No kidding

December 19, Reuters – (National) U.S. not ready for cyber attack. The United States is unprepared for a major hostile attack against vital computer networks, government and industry officials said on December 18 after participating in a two-day “cyberwar” simulation. The game involved 230 representatives of government defense and security agencies, private companies, and civil groups. It revealed flaws in leadership, planning, communications, and other issues, participants said. “There isn’t a response or a game plan,” said senior vice president of the Booz Allen Hamilton consulting service, which ran the simulation. “There isn’t really anybody in charge,” he told reporters afterward. Officials cited attacks by Russia sympathizers on Estonia and Georgia as examples of modern cyberwarfare, and said U.S. businesses and government offices have faced intrusions and attacks. Source: http://uk.reuters.com/article/technologyNewsMolt/idUKTRE4BI00520081219?sp=true I would like to point out an exercise we held in 2006 at the final KEMA Control System Cyber Security Conference. There were approximately 120 attendees from various industries and government organizations from all over the world representing a number of different critical industrial infrastructures. These were the cognizant technical people that had a vested interest in cyber security of critical infrastructures. They were broken up into 6 groups with each group having experts from IT security, control systems, government, IT and control system vendors, etc as participants. They were physically separated then given the same information concerning a possible cyber attack on their critical infrastructures. What was so interesting was the independent, yet common response from each group to each set of succeeding information. Basically, there was no consensus about what to do, who to contact, when to declare an emergency, when to isolate critical control system networks, etc.  As additional technical information came in about the actual event, there was still no consensus about what to do until critical systems were actually being affected.  Despite all of the tabletop exercises having been run to date, I believe this is typical of what would actually happen in a wide-spread cyber attack on the critical industrial infrastructures. Joe Weiss Beginning in January, I will be providing a monthly subscription newsletter. Stay tuned for more details.