As cyberattack prevention becomes an increasingly critical focus of homeland security efforts, industry observers are taking a closer look at the readiness of the nation's critical infrastructure. Some believe there is reason to worry. Researchers recently revealed that many industrial systems, including some used in public utilities, come with default passwords that are readily available and could be used by hackers to gain remote root access and disrupt services or cause damage. Just last December, at least three of Ukraine's energy providers suffered cyber attacks that took them offline for about six hours -the first time that a power outage has been directly tied to cybercrime.
On Wednesday, February 3,The Energy Timespresented a webcast on this topic, sponsored by Cisco. I was privileged to join a panel of speakers representing the key utility and government leaders responsible for protecting the grid and the American public in a discussion on security challenges in the energy industry and what can be done to further enhance the security of our nation's power grid.
Some recent publications have narrowly focused only on preparedness for an extended operational failure of critical infrastructure -such as the energy grid -rather than taking a holistic approach to resiliency. But every process needs to be secure -from design, development, implementation and maintenance to end of life. At Cisco, we view value chain security risk from two perspectives. First, we focus on the role of information and communication technology in cyber risk itself. Second, we also focus on the full end-to-end spectrum of the ICT value chain. Accordingly, we've developed a framework to build security and trust into the complete value chain.
Creating a firm foundation
The first step in ensuring infrastructure security is to identify the threats. Some of the threats and exposures Cisco has identified include counterfeit, manipulation, espionage and disruption. Organizations and agencies involved with critical infrastructure should keep this in mind as they address comprehensive cybersecurity throughout the industry's value chain.
Next, we have determined a number of foundational elements that can form a path to comprehensive security:
Core architecture domains
The third step is to build a flexible security architecture that can be shared and serve as a differentiator across the entire value chain. We suggest identifying core domains within the architecture. For us, those domains include security governance, security in manufacturing and operations and third tier partner security, among others. For a complete list, I encourage you to visit a recent NIST case study that goes deeper into these leading Cisco practices.
Leveraging a flexible security architecture can allow all value chain members to collaborate. The use of existing industry taxonomy, a clear architecture and procurement-based validation methods will ensure enhanced risk management while permitting the flexibility and innovation essential to infrastructure security success.
For more information on this topic, see my earlier post on value chain collaboration here. For more information on Cisco Value Chain Security, visit the Cisco Trust and Transparency Center.