Waking the sleeping giant: Critical infrastructure

Share this article:

For the last several years, security experts have been stressing the vulnerability of industrial control systems. Now, with attacks like Stuxnet proof of the risk, the big question is: How will industry respond?

Waking the sleeping giant: Critical infrastructure
Waking the sleeping giant: Critical infrastructure

Stuxnet was a game changer, but control systems that run the nation's infrastructure are still at risk, reports Deb Radcliff.

For more than 10 years, they saw it coming: SCADA (supervisory control data acquisition) systems managing critical infrastructures would be targeted by cyber terrorists, activists and government-sponsored agents. The results would be catastrophic.

Working groups formed under the North American Electric Reliability Council, the International Society for Automation (ISA), ASIS (American Society of Industrial Security), and Information Sharing and Analysis Centers (ISACs). System operators needed to be educated about cyber risks, best practices needed to be formed and standards needed to be set. 

Then, June 2010 came around and news of the Stuxnet worm broke. “Stuxnet immediately became a major concern in our infrastructure meetings,” says Mark Schreiber, vice chair of the critical infrastructure working group for the ASIS, and security system design engineering specialist at Fluor, a Irving, Texas-based company that provides project management to clients around the world. 

As a result of Stuxnet, awareness is up at all levels. Operators, vendors, and government officials now “get” the seriousness of the threat. Security standards are maturing, and new security oversight bodies are forming, most recently through the Federal Energy Regulatory Commission (FERC). As well, the Obama administration hopes to issue a cyber security executive order similar to the Cybersecurity Act of 2012, killed by the Senate in August.

The bad news: Stuxnet was just the beginning. More sophisticated malware that includes Stuxnet-derived code is being found in the wild: over the last two years, Flame, Duqu, Madhi, Gauss, Shamoon and Wiper all bare similarities to Stuxnet.

“A growing list of malware is being discovered because organizations are finally stepping up their game in detection,” says Anthony Bargar, executive VP of cyber security solutions at Foreground Security, a Lake Mary, Fla.-based consulting firm to infrastructure operators. “Some of the threats discovered make Stuxnet look like an Atari 2600. Gauss is one example.”

Page 1 of 3
Share this article:

Sign up to our newsletters

More in Features

Case study: Big LAN on campus

Case study: Big LAN on campus

A university rolled out a wireless network, but was hampered with a user-support problem...until a solution was found. Greg Masters reports.

2014 Women in IT Security: Stacey Halota

2014 Women in IT Security: Stacey Halota

When she stepped into the job of vice president of information security and privacy at Graham Holdings Company in 2003, Stacey Halota had to carve out new territory because her ...

What's sex got to do with it?

What's sex got to do with it?

Harassment has no place in the security industry. Neither do sexism or discrimination. But, there they are. It's time for infosec to just say no, reports Teri Robinson.