Those responsible for protecting critical infrastructure would like to be detecting and protecting, but most find themselves mitigating, responding and recovering, on the right side of what speakers at SC Congress Toronto on Tuesday, called "the boom."
Before organizations can assume a more proactive posture they must eliminate the long lag times between an incident and its detection.
"Most groups take somewhere between 18 to 24 months to detect an attack," said Tim Roxey, chief security officer and senior director ES-ISAC at North American Reliability Corporation, speaking on a panel at the two-day event. Noting that organizations are not breached "without their knowledge," when it comes to "the detection piece, we suck," Roxey explained.
The good news, he said, is that a Cyber Risk Preparedness Assessment (CRPA) provides direct insight into the strength of organizations as well as pointing out where they can improve.
The assessments generate “excellent” information, said speaker Mark Fabro, president and chief security scientist at Lofty Perch. For instance, security specialists understand that critical systems are too exposed and IT-centric attacks have a kinetic impact on control systems. Security pros have also discovered cyber countermeasures that work in the ICS domain and they know that interconnected systems and remote access need the highest protection.
While critical infrastructure faces threats from the outside, a significant number come from within. Citing the findings of a recent Repository of Industrial Security Incidents (RISI) report, Fabro noted that insiders account for 18 percent of the known perpetrators involved in security incidents in 2012, which represents a one percent uptick from the 17 percent recorded in 2011.
In nearly half of those cases, 42 percent, the incidents were intentional and were composed of a mix of unauthorized access, sabotage, virus/trojan/worm attacks and external system penetration.
"But that means that 58 percent are not intentional," Fabro said.
While organizations "can't tell when someone will go rogue, [security pros] have to pay attention to countermeasures," added Roxey.
The RISI report shows that the number of incidents involving industrial computers grew tremendously, by 29 percent from 2011 to 2012. The figures are even more jarring when looking at the time period between 2010 to 2012. In that two-year span the number grew 80 percent.
The rise is attributed to the growing number of PCs and servers deployed in ICS applications, though their susceptibility to malware may also account for the rise, Fabro noted.
Malware, at 76 percent, "exceeds all" other incident types, said Fabro, followed by control/SCADA system failure at 59 percent. Transportation was the hardest hit by incidents at 44 percent, while power and utilities recorded 41 percent and the petroleum industry came in third at 31 percent.
Transportation saw the largest upward swing in incidents (160 percent), while the water and waste water sector saw a 60 percent increase. Power and utilities remained steady.
Fabro said the number of incidents, in part, might be the result of better reporting in some sectors, noting that there's probably "one report for every 35 incidents."
Another point of vulnerability is what he calls the "transitive trust" between the systems that run the business and the infrastructure systems.
"That will always facilitate some part of the kill chain," Fabro said.
Regardless of the threat employed, "the point [of the attacker] is to become the trusted operator," he noted.