A Senate plan to boost the US government’s ability to regulate the security of companies responsible for critical industries is causing debate as to exactly how far its reach should be.
With sophisticated attacks, such as Stuxnet and Duqu, on the rise, the legislation would aim to ensure organizations that oversee systems running utilities, power plants and other critical infrastructure have the necessary measures in place to ensure their security. At present it is estimated that as much as 85 percent of America’s critical infrastructure is owned and operated by private companies.
This is an important move and one that should be considered in the UK. Attacks on critical systems are on the increase and have the potential to negatively impact the economy and even the safety of citizens. It is vitally important that companies entrusted with this responsibility are held to account and can validate that measures have been taken to protect control systems.
Some concerns have been voiced about this move giving authorities too much power over private organizations, however, this does not have to be the case. A relatively simple and non-intrusive move would be to legislate these organizations into deploying protective monitoring systems.
A large proportion of IT breaches today are a result of companies lacking visibility into the activity taking place across their networks. Continuous monitoring of the log data generated by systems provides the visibility and traceability required to piece together seemingly isolated events to identify aberrant activity.
This traceability is especially relevant when trying to detect attacks on public utility control systems like SCADA (supervisory control and data acquisition). Many control system components inherently trust the environment and do not natively create security events – as a result, they tend to rely on separate—and possibly not implemented—control system historian and change management functions to record operational events.
To defend critical infrastructures it is not only essential that these controls are deployed, organizations also require protective monitoring to collect and analyze the data that is generated. It is only via the combination of approaches such as these that control systems can be defended against the malicious intentions of would-be hackers.
Author: Ross Brewer, vice president and managing director for international markets, LogRhythm.