By Richard Robinson, CEO, Cynalytica
I am not sure how many more wake up calls it will take before we all start to acknowledge that we are considerably behind in our protection of Industrial Control System environments for our Nations Critical Infrastructure.
The recent compromise of Solarwinds and the Sunburst Hack should shake this fact into the heart and soul of every commercial company and government agency responsible for the safe, reliable operations and protection of our critical infrastructure and get them quickly grounded and thinking about better and more innovative ways and means to confront the issues.
“No one knows the full extent of the Sunburst attack, but the scope is large and the victims represent important pillars of the U.S. government, economy and critical infrastructure. Information stolen from those systems and malware the hackers have likely left on them can be used for follow-on attacks. I believe it is likely that the Sunburst attack will result in harm to Americans.”
Paulo Shakarian, Arizona State University / January 4, 2021 govtech.com
President Biden’s signing of an Executive Order on January 20th 2021 that in part suspended, for 90 days, the implementation of the prior Administrations May 1st 2020 order halting the use of components produced by hostile foreign states in the Bulk Power System is another example of the complexity and morass of the problem.
I would implore those asset owners and government agencies that are responsible and accountable to start looking at the problem and potential solutions more broadly, unconventionally and quit relying on the same set of self-anointed shaman in the cyber security vendor space to be their guides. All the resources and monies that have gone to these vendors and efforts into “protection” have net yielded, at the end of the day, the undeniable inability to stop or detect yet another nation state from calmly lying-in wait and ultimately compromising tens of thousands of US Companies and Government Agencies (and who knows what systems). Yet after the mayhem, these vendors are the first to self-congratulate themselves on their fine work.
The sobering fact I want to drive home is that we will never be able to completely stop or keep out a well-motivated and skilled adversary…full stop. We have been experiencing, for over a full decade, threat actors that have been in and are still in, many of our critical infrastructure systems. To make matters worse, this started well before we began to connect these environments to routable networks.
In the early 90’s, as an undergraduate studying and researching the potential impacts of the Soviet Union’s theft of US computer aided manufacturing and industrial communication technologies developed in the 1950’s and early 1960’s; I learned that this a real thing. To be clear, these are still many of the same core technologies that we use today and are reliant on for the safe and reliable operations of our country’s critical infrastructure, as well as key critical infrastructure around the globe.
There is a significant problem here that is being dispelled by vendors and ignored by many asset owners.
We have been continually connecting and even accelerating the unsafe connection of these legacy infrastructures and their devices to networks, only to be told by vendors and asset owners that they do not need to pay attention to this since “they did not believe the environments could be properly monitored or protected”, “it is inconvenient to do”, “it’s not important or necessary since we are monitoring the network”, to my favorite, “we will be moving off of these systems in the next few years”. All irresponsible and all incorrect.
There is a safe way to protect and monitor our legacy ICS environments that provide us with our daily power, water, transportation systems and food. We need to ensure that those who are responsible for the safe and reliable operation of these most critical systems are pursuing security at the highest level achievable.