Protecting the critical infrastructure: Strategies, challenges and regulation

[Free CISSP Exam Study Guide] Get expert advice that will help you pass the CISSP exam: sample questions, summaries of all 8 CISSP domains and more!

In this interview, Raj Samani, VP and CTO EMEA at Intel Security, talks about successful information security strategies aimed at the critical infrastructure, government challenges, the role of regulation, and more.

We often hear how ill-prepared governments are for a serious attack on the critical infrastructure. With so many complex and interdependent issues, what can governments do in order to bring the security of their critical infrastructure to a level that can withstand today’s fast-paced threat landscape? What challenges do they face while doing so?
The first, most fundamental step is to understand the risk. A really practical example of this is demonstrated by results from SHODAN disproving the previously held notion that Industrial Control System (ICS) devices are NOT connected to the internet.

You also make a really interesting point about the fast paced threat landscape, and I think that poses a significant challenge when it comes to remediation. Within your consumer life, you could potentially accept 90% uptime for the services that you use. However when we get into the critical national infrastructure (CNI) landscape even 99% is not an acceptable response. Therefore I believe that automation will be more prevalent as we consider the CNI landscape, for example secondary substations.

These geographically dispersed assets will go for years without an engineer visiting and, while in an unconnected world this may be acceptable, in the modern connected landscape we will need the ability to remotely connect, manage and also respond in real-time to threats to such systems. It is also worth noting that one of the challenges facing governments is building transparency into the security controls of CNI providers that are typically hosted in the private sector, and equally attracting talent that not only understands security (on an IT level) but also has the engineering experience that comes with working in a plant.”

What are the traits of a successful information security strategy aimed at the critical infrastructure?
Protecting the operational technology (OT) environment should be simpler than protecting a traditional IT environment. A really good example of this can be seen in a presentation delivered by Joel Langill, technical editor for the first book I co-authored, where he demonstrates the use of consumer technology inside the plant room. These networks and devices should be locked down, indeed anything that deviates from the baseline should be reported and possibly blocked.

Of course this is only one approach! However, as mentioned earlier, I believe that automating the security response is a natural evolution. We have been working on digital oilfields, and substation automation proof of concepts (PoCs) and now this approach is beginning to be adopted and implemented across the globe. Measures for success within oil and gas have seen an increase in production efficiencies of up to 250% for brownfield deployments. As we migrate to a connected CNI landscape, technology can introduce such enormous benefits to the provision of water, energy, etc. Our role, of course, as security professionals is to minimize the risk.

Some argue that we need less regulation, while others welcome it. What’s your take on this complicated issue?
Regulations can work, but they are not the panacea. Simply put, anything that can improve the security of the world we live in has to be applauded. However we have to ensure that it is something practical that can feasibly be implemented.

Generally speaking the regulatory and standards environment is divided into the prescriptive and subjective approaches: take the comparison between North American Electric Reliability Corporation critical infrastructure protection (NERC CIP) plan v4 and v5 even! A prescriptive based approach can achieve a minimum baseline that provides a level of acceptable assurance but as we have seen in the financial sector, compliance does not mean security. I would much rather focus on a world where security achieves compliance.

What are some of the most interesting facts you’ve learned while writing “Applied Cyber Security and the Smart Grid“?
I did a presentation at the SecureCloud conference in which I talked about the role of public cloud computing within critical infrastructure. It was more theoretical in nature, and I then received an email from friend (and co-author of a recent cloud book) Brian Honan. In the email was a link to a company offering water treatment services through a cloud platform, and their claim was that security such as AV updates were not needed because it was hosted in the cloud. It made me realize that the work we do as security professionals has never been so important.