A draft of the voluntary framework was released by NIST.
A draft of the voluntary framework was released by NIST.

Those responsible for protecting critical infrastructure would like to be detecting and protecting, but most find themselves mitigating, responding and recovering, on the right side of what speakers at SC Congress Toronto on Tuesday, called "the boom."

Before organizations can assume a more proactive posture they must eliminate the long lag times between an incident and its detection.

"Most groups take somewhere between 18 to 24 months to detect an attack," said Tim Roxey, chief security officer and senior director ES-ISAC at North American Reliability Corporation, speaking on a panel at the two-day event. Noting that organizations are not breached "without their knowledge," when it comes to "the detection piece, we suck," Roxey explained.

The good news, he said, is that a Cyber Risk Preparedness Assessment (CRPA) provides direct insight into the strength of organizations as well as pointing out where they can improve.

The assessments generate “excellent” information, said speaker Mark Fabro, president and chief security scientist at Lofty Perch. For instance, security specialists understand that critical systems are too exposed and IT-centric attacks have a kinetic impact on control systems. Security pros have also discovered cyber countermeasures that work in the ICS domain and they know that interconnected systems and remote access need the highest protection. 

While critical infrastructure faces threats from the outside, a significant number come from within. Citing the findings of a recent Repository of Industrial Security Incidents (RISI) report, Fabro noted that insiders account for 18 percent of the known perpetrators involved in security incidents in 2012, which represents a one percent uptick from the 17 percent recorded in 2011.

In nearly half of those cases, 42 percent, the incidents were intentional and were composed of a mix of unauthorized access, sabotage, virus/trojan/worm attacks and external system penetration.

"But that means that 58 percent are not intentional," Fabro said.

While organizations "can't tell when someone will go rogue, [security pros] have to pay attention to countermeasures," added Roxey.