Losing control: Critical infrastructure

Then just last month, Austin-based security firm NSS Labs released a study that tracked a 600 percent jump in ICS system vulnerabilities revealed between 2010 and 2012, with 124 security flaws being disclosed. 

Also this year, ICS-CERT released a technical paper in January that included guidance – and common mistakes to avoid – when responding to advanced attacks. For instance, instead of immediately trying to rid systems of the malware, IT management or designated responders should capture live system data, like network connections and open processes, before disconnecting compromised machines from networks, the paper says. Companies additionally were advised to avoid running anti-virus software immediately after an attack, since the scan could change critical file updates or thwart analysis of malware for future detection.

David McIntosh (left), vice president of federal government affairs at Siemens, a Germany-based electrical engineering and manufacturing company that services critical infrastructure sectors, says federal policies are necessary to facilitate the kind of public-private information sharing needed when advanced attacks occur.  

According to Nate Kube (below), CTO of Wurldtech, a Canada-based industrial security products company, the nation's water supply is particularly at risk to attacks of this kind. 

“[In] industries like water, there's not a lot of budget for security, so unless the government steps in and provides incentives and regulations, the water supply will be vulnerable,” says Kube. “The level of security is close to zero, which means if you can procure knowledge on its systems, you can [cause] a lot of damage. There's not a lot of stop gaps. The only protection now is that there's not a lot of incentive in hacking these systems.”

Hours before his State of the Union address, President Obama issued a cyber security executive order designed to spur the implementation of better security standards among ICS companies. Though the order won't be mandated like legislation and will merely provide best practices for the government and private companies, it will direct federal agencies to share information about critical infrastructure threats with corporations in the ICS sector. The move also encourages lawmakers to pass legislation with critical infrastructure protection in mind. 

Last month, lawmakers reintroduced the controversial Cyber Intelligence and Sharing Protection Act (CISPA), though many privacy groups oppose a provision that may permit personally identifiable information collected by companies to be among what is shared. News of CISPA returning came not long after seven Democratic senators introduced the Cybersecurity and American Cyber Competitiveness Act of 2013 in January, essentially a refresh of a bill that was shot down last year. The language in the measure has not yet been firmed up, but it is expected to create mechanisms for threat information sharing, workforce development, risk assessment and identity theft prevention. 

Security vendors and end-users have differing opinions, however, on whether regulations are the answer. PhishMe's Gréaux says that more policy could distract companies from detecting the real threats. “From a practical perspective, I think there's good policy that can be written to help guide [companies] in the right direction, but it also can distract security practitioners from focusing on threats,” he says. “It takes focus away from protecting assets and systems, and puts it more on compliance. Sometimes it makes the organizations less secure than they were before.”