Ultra Electronics 3eTi

Learning to Protect the Networks That Protect Us

August 29th, 2014 / By

The growing number of attacks on networks has become one of the most serious economic and national security threats to our nation. It is imperative that these threats be thought of daily as a legitimate cause for concern. To keep networks secure, and to lock down the critical cyber space we all share, network owners and public officials must work to empower the general public to create a safe, secure, and resilient cyber environment.

However, in discussions with some decision makers in critical industries such as nuclear power and utilities, I question whether they share this point of view, or are even aware of these vulnerabilities. If they are aware, then why is comprehensive cybersecurity not higher on their priority list? A full 67 percent of respondents in a July 2014 UNISYS / Ponemon survey said their companies experienced at least one security compromise in the previous 12 months that caused a loss of confidential information or a disruption to operations. Moreover, 57 percent agreed that cyber threats pose a risk to SCADA and industrial control systems.

Despite numbers like these, it seems not much is being done. Our experience, supported by the Ponemon findings, tells us that more effort is going into situational and after-the-fact remedies, once the damage has been done, rather than into proactive and preemptive solutions to prevent cyber attacks. According to Ponemon, only 17 percent of companies researched reported that most of their IT security programs are deployed. Half of the respondents said their IT security activities had not been defined or deployed. Ponemon findings suggested a possible reason that aligns with what we see all the time: Only 28 percent of respondents agreed that security is among the top five strategic priorities across the enterprise.

During a recent visit to survey the operations of a manufacturing plant, I noticed a computer running Windows XP executing a critical operation. I asked the foreman if this PC was connected to a network. He told me that all the computers in the facility were networked. I asked him if he was concerned about a cyber-attack and he told me that he was “covered.” IT has virus protection in place and they have a firewall. “Nothing to worry about.” When I explained to him that some attackers could thwart those defenses and potentially take control of his XP machine, he was surprised and said, “That would be a big problem.” Still, he was following “corporate procedures.”

There is reason for optimism. Many of us at 3eTI try to follow student and nonprofit trends in hacking research and studies. I recently came across Build IT Break IT Fix IT: Build IT (Online, August 28, and in September). The Build it Break it Fix it contest, according to its website, is a new programming contest held by the Maryland Cybersecurity Center, Cyberpoint, and Trail of Bits. The Build it Break it Fix it security challenge is intended to teach students to write more secure programs, and reward them for doing so.

My hat is off to these future leaders. They hopefully will go into the world with a greater appreciation for the importance of cyber-hardening, and multiple layers of defense that include device-level protection. They won’t have to be convinced that implementing good M2M cybersecurity is worth a close look and a little more ink on the annual budget.

My colleagues and I are becoming deeply concerned about how to selectively protect critical databases and endpoint terminals from advanced persistent threats. Our concern is that more decision makers in critical infrastructure industries don’t universally or uniformly seem to share our concern. We’re very glad tomorrow’s graduates seem to be paying attention.