Commercial enterprises are putting our critical infrastructure at risk

1 2 Page 2
Page 2 of 2

* Develop regulations with accountability: Regulations and best practices need to be defined, created, mandated, applied and enforced such that they cross over both the enterprise and the critical infrastructure entities. The Department of Homeland Security, the Department of Defense (DOD) and the Department of Energy (DOE) need to be at the forefront of fostering best practices and standards. The appropriate government entities should consider making funds for such purposes available to institutions farther down the chain beyond the capital goods vendors -- such as the local/state entities that put the industrial control systems in place. In the end, the value of security must be described and demonstrated. "The North American Electric Reliability Corporation (NERC) CIP5 set of cybersecurity standards, as one example, is being defined to focus on security as opposed to just compliance, but it will be a few years before we can see it in action," Cianfrocca says.

* Manage identities as humans: Security must focus on human behavior. Human-centric security is about recognizing that a digital identity is actually a human being; humans have patterns and behaviors that can be modeled and risk can be adjusted based on a number of factors. "Humans tend to make more mistakes on Mondays and when they work more than 12 hours," says Brown. "Humans are more vulnerable to coercion when they have recently been divorced or have money issues; this can't be ignored." Of course, the human factor is present in the critical infrastructure and many safeguards are in place to manage the physical aspects of humans. These same human-oriented safeguards need to be extended to the enterprise infrastructure as well.

* Establish cross-sector communications: Critical infrastructure entities, government institutions and the private sectors that enable them need to share threat intelligence, working together as a common force to track down these would-be attackers. U.S. Secretary of Homeland Security Janet Napolitano recently told the Senate Homeland Security and Governmental Affairs Committee that "we need the information-sharing, and it needs to be real-time. It makes commons sense." Organizations and government agencies need to get over their hangups on sharing information, no longer treating existing and emerging threats as information that requires clearance levels above top secret. It needs to be done in a way that doesn't tip off the bad guys, so maybe some legislative work coupled with a neutral third-party entity could help to build and share this cross-entity threat intelligence.

* Identify new technologies: One example of critical infrastructure protection is to utilize technologies that reduce (if not eliminate) vulnerabilities altogether. One such example is use of BAE's STOP OS -- built especially for the DOD -- which does not require patches, thereby eliminating the need for staff and security experts to patch the infrastructure systems. Another option for secure virtual operating systems is Joyent's GuardTime-enabled SmartMachine, which prevents independently verified operating system modules and third-party applications from executing if they have been compromised in any way.

We must also remember that at the core of the critical infrastructure lies the platform; systems developed by industrial goods vendors such as GE, Emerson and Siemens. These companies need to be incented and/or required to build in and provide better security technologies as part of their devices, systems and services so they are not only more robust, but also not subject to the risks faced by enterprise infrastructure.

One thing is for sure, policy, regulations, penalties and fines are not enough; this is the nation's critical infrastructure we are talking about. It's time we stop ignoring the risk that our profit-driven private sector enterprises pose to the critical infrastructure.

Sean Martin is a CISSP and the founder of imsmartin consulting. Contact him at

Read more about wide area network in Network World's Wide Area Network section.

Copyright © 2012 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
8 pitfalls that undermine security program success