From: WSJ/CIO Journal
Rachael King
Noted cybersecurity expert Alan Paller believes there are only 18 to 20 people in the whole country qualified to protect the nation’s infrastructure from a concerted cyber attack. That’s an incredibly small number of people considering the hundreds of thousands of engineers working in the private, public and military sectors, but Paller isn’t the only person who thinks that’s the case.
Since the Stuxnet virus was launched in 2010, probably by the U.S. government against Iranian nuclear facilities, the incidence and ferocity of cyber warfare has risen to new heights. The vulnerability of the entire U.S. utility grid and industrial infrastructure, from power plants to water facilities and chemical plants, is well-understood. There are software engineers who can help stave off less-sophisticated attacks to a specific site, but defending against Stuxnet or the more-recent Shamoon virus – particularly if it infects multiple networks — is something else altogether.
“The number of people who can deal with Stuxnet on planet Earth is a really small number,” said Chris Bronk, fellow at the James A. Baker III Institute for Public Policy at Rice University. “There aren’t a lot of superheroes,” he added.
One might expect those superheroes to come from Langley or Palo Alto, but instead, they’re more likely to be found in Idaho Falls. Idaho National Labs, the Department of Energy’s lead nuclear research and development facility, is also home to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). These are the people companies call for help when they face the most serious of attacks that may have national security implications. The number of incidents that organizations have reported to ICS-CERT has risen to 198 in 2011 from nine in 2009. Team members have traveled on site to help companies on 17 different occasions between 2009 and 2011.
One reason the pool of top experts in this domain is so limited is that cybersecurity and a deep understanding of control systems for critical infrastructure are two different skill sets. “It’s like the plumber and electrician problem – there are a lot of people with each skill but a small number with both,” said Paller, founder of SANS Institute, an organization that trains cybersecurity experts and conducts information security research. These people must be able to look for cyber threats that haven’t already been detected and they need to understand traffic between process control devices and software that’s rarely used, he said.
“It’s very specialized, there aren’t ready-set off-the-shelf tools that you can buy, install or start that will protect you,” said Rita Wells, electric sector program lead at Idaho National Laboratory.
For example, when Stuxnet was discovered at a critical manufacturing facility in 2010, the company asked ICS-CERT for help. The team discovered Stuxnet on all the site’s engineering workstations and several other machines connected to the manufacturing control systems network. ICS-CERT worked with the organization to develop and implement a multi-stage Stuxnet removal process, customized for that network, and confirmed the infection had been eradicated prior to leaving, according to a report issued by ICS-CERT, which is part of the Department of Homeland Security.
The number of reported incidents is growing in every critical infrastructure sector. Companies in the water industry reported 81 incidents in 2011, up from three in 2009. Electric utilities reported 25 incidents in 2011, up from three in 2009. Since 2005, ICS-CERT has helped train thousands of software engineers at various utilities, but it’s not clear whether those recruits are ready to defend against this escalation of attacks.
Increasing threats to critical infrastructure are part of the reason the Obama Administration is pushing for cybersecurity legislation. The Washington Post reported Wednesday that President Obama has signed a secret cybersecurity directive that could give General Keith Alexander’s Cyber Command and his hundreds of cybersecurity experts leeway in helping to defend attacks against the private sector.
Leave a Reply