BetaNews conducted a Q&A session with Andrew Ginter, vice president of industrial security at Waterfall Security Solutions to find out if American industrial and infrastructure systems are safe from cyber threats:
BN: How worried should we be about attacks on industrial control systems (ICS) and national infrastructure?
AG: I’m very much worried. Modern attacks have demonstrated repeatedly that they can punch through corporate-style cyber defenses, more or less, at will, and it is corporate-style defenses that are deployed at the majority of critical industrial infrastructure sites. This is a mistake. IT can restore damaged systems from backup. There is no way to restore a damaged turbine or a boiler from backup. There are industrial sites that understand all this and have taken appropriate steps to defend themselves, but the vast majority of sites are not protected thoroughly enough.
BN: Should enterprise IT and ICS be kept completely separate? Why connect ICS to the Internet at all?
AG: There are too many ways to profit from ICS data to keep it locked up and inaccessible. For example, if business systems can determine how often and how long each piece of costly equipment has been used, we can delay maintenance until it is really needed rather than maintain the equipment every few months whether it needs it or not. This predictive maintenance application of ICS data alone, integrated with HR personnel scheduling, spare parts ordering and other business applications, is estimated to save the average industrial facility between three and seven percent of total operating costs. In some industries, this is the plant’s entire operating profit. There are many other uses for industrial data.
Long story short: US industrial control systems are vulnerable because of the rush to connect them to the internet. It is not as black and white as that though.
However, NERC CIP is a great starting point for protecting the power industry, and therefore other critical infrastructure sections should adopt a similar baseline cyber security framework to help ensure there is a minimum set of security controls in place. Implementing a NERC CIP-like set of guidelines will go a long way in limiting potential cyber attack exposure and risk to critical systems.
Having recently worked with the US electrical system in the United States, I have to say that what I personally witnessed was generally a highly professional cadre of cyber security experts who take their jobs protecting the power grid quite seriously. From the wonderful folks at FERC to NERC to DoE, to the many power companies our team worked with, this group is working really hard and quite diligently to ensure the American power system is safe. Other industrial and infrastructure area, however, remain to be seen.