The need for durable national cyber security has never been clearer. International cyber espionage has reached new peaks in the last few years. The world is reeling at the audacity of alleged attacks by one nation on the free, democratic elections of another via online data theft. The world has witnessed major cyberattacks which caused disruption to critical infrastructure operations including; Saudi petrochemical plant, Indian Kudankulam Nuclear Power Plant (KKNPP), United States utility grid, capital city blackouts in Ukraine, and many more. The commercial sector has also been hit with a new level of breaches including giant corporations such as Marriott, British Airways, Facebook, Mondelez, Reckitt Benckiser, FedEx, and Equifax. These cybersecurity lapses caused business disruption, revenue loss, production shutdown, power blackout, process disruption and much more. If we talk in terms of money, some of these cyber incidents have resulted in loss of more than half a billion dollars. Many are perpetrated by state-sponsored cyberattacks where hostile countries have been regularly probing the defense grid, government agencies or critical infrastructures operations of enemy nations. While these attacks may have taken the general public by surprise, state and military leaders responsible for the world’s national cyber security have been aware of these threats for some time. Governments along with regulatory bodies across the world are working relentlessly in building a flourishing digital society that is both resilient to cyber threats as well as equipped with the capabilities required to maximize opportunities for national infrastructures and services. To achieve this goal I propose the following three pillars for strengthening national cyber security;
- securing critical infrastructure,
- establishing a national cyber security standard
- developing a highly skilled workforce
Securing Critical Infrastructure:
Cyberattacks on power
plants have already begun. Ukraine was hit twice in 2015 with breaches that led
to loss of power to entire portions of the capital city. Other countries have
also suffered mysterious massive outages that have raised the suspicions of
leading cybersecurity experts. We’ve known for decades that critical infrastructure
is considered a prime target for hostile nation-state actors. Most likely they
are already under the early stages of cyber attack. To understand how to
protect critical infrastructure we must first understand why they are so
vulnerable. Utilities and heavy industry use operational networks called SCADA
(supervisory control and data acquisition) SCADA systems are used to monitor
and control equipment in industries such as telecommunications, water and waste
control, energy, oil and gas refining and transportation. They have local
sensors distributed throughout the plant that gather, store and relay
information to a central command center. Many of the sensors also have
computational abilities and can analyze data, detect irregularities and make
decisions about how to remedy them. This means that these remote sensor
units are capable of sending commands that effect the physical operation of the
plant. If hacked by malicious actors, the results could be
catastrophic. In Ukraine, the supply of power was cut off, but the potential
damage for SCADA attacks could be much worse. For example, in a nuclear power
plant, SCADA systems monitor and control speed (RPM) and vibrations of the
centrifuges. If hacked, malicious commands can be sent to change the speed and
cause debilitating physical damage. Hackers could cause destruction of billions
of dollars worth of equipment, explosions, fires or worse. While most utilities
and manufacturing plants have excellent physical security on site, most have
next to nil cyber security in place. The technical specialist running plants do
an excellent job keeping everything up and running with no down time, but few
of them are experts in cyber security. This simply lies outside the industry’s
expertise. Furthermore, there are limited commercially available solutions
tailored for the unique needs of SCADA systems, that can effectively secure the
interconnected IT and OT (operational) networks. Some hold the belief that they
can keep operational networks safe by completely separating the two, so that the
regular IT network cannot be used to compromise the OT network, an approach
known as ‘air gapping’. But in today’s modern plants, air gapping is but a
myth. The IT and OT networks have completely converged and are intertwined.
Therefore, effective defense requires and integrated approach. This kind of
expertise is the dominion of the military and defense sectors who have been
responsible for protecting the world’s most sensitive critical infrastructure
targets. Therefore, the military and intelligence community must take the lead
in protecting national critical infrastructure and partner with the very best
international experts.
Download: 5 Crucial Steps to Secure Industrial Networks
Subscribe to our blog
National Cyber Security Standard
Cyber security is no longer just a cost-benefit consideration for individual organizations to weight on their own. The interconnectivity of the internet means that a breach in one network could be used to damage another. For example, user credentials stolen from web email accounts can be used to gain access to banking or credit card details. The repercussions of cyber-attacks will be felt beyond the specific breached organizations and threaten to undermine confidence in the nation’s commercial sector. We have seen quite a few incidents such as the Bangladesh Bank Heist, India’s Cosmos Bank, Equifax and many more where millions of dollars were siphoned through a cyberattack. Therefore, national governments must take a proactive leadership role in establishing clear, binding standards for cyber security products and procedures.
There is an abundance of independent cyber security products, and more and more players can be expected to join this fast-growing market over the next few years. The network of major financial institutions can include up to 90 distinct networking security products. The sheer mass of solutions makes it an insurmountable challenge to thoroughly evaluate each. Therefore, a national standard that outlines product classes, specifies required capabilities and certifies products have been tested and found suitable is critical. For example, over 18 years ago, the United States federal government initiated a partnership between its National Security Agency (NSA) and National Institute of Standards and Technology (NIST) to develop a cost-effective way to establish a credible standard for the testing, evaluation and validation of information security products. This joint program, National Information Assurance Partnership (NIAP), champions the development and use of national and international standards for IT security (Common Criteria) and fosters research and development in IT security requirements definition, test methods, tools, techniques and assurance metrics. I recommend an active role of governments and regulatory bodies to develop, promote and verify excellence in cyber security products and training.
A Highly Skilled Workforce
The most imminent national cyber security challenge is recruiting and training the ‘boots on the ground’ for the new cyber battlefront. A study by Cybersecurity Ventures points out that the global economy is estimated to lose $6 trillion annually by 2021 due to cybersecurity exploits and other cybercrimes. The future of any nations’ cyber defense depends on a highly skilled workforce of cyber security experts in all branches of the military, law enforcement, government and commercial industry. The demand for well trained professionals is already outpacing supply. Therefore, the critical challenge of ensuring a nation’s cybersecurity is dependent on training the women and men who will fill the ranks. Every challenge is also an opportunity. If the professional training goal is set high and energetically pursued, the entire nation stands to emerge as a global cyber security player and contribute significantly to the health its nation’s economy. In last couple of years, many government bodies or central organizations established cutting-edge cyber security training centers, including a hyper-realistic simulator, as part of strategic efforts to become a leader in providing cyber security services. The training of a highly skilled cyber security workforce can be achieved by establishing excellent training centers and programs for secondary school through university level as well as professional trade schools and military and law enforcement academies. The courses must all contain theoretically studies and ample realistic training to gain the experience and prowess to necessary to effectively confront a variety of aggressive attack scenarios. Universities like Miami Dade College, Regent University, Ariel University, University of Maine, Metropolitan State University, and others that have been disrupting the cyber defense industry with their world-class training modules that feature state-of-the-art cyberattack simulations.
Today, countries around the globe have established national centers for cybersecurity strategy in response to the mounting cyber threat. Now it is upon us to take swift strategic action to ensure the safety and prosperity of citizens, government and industry. By focusing on the three pillars of securing critical infrastructure, establishing national cyber security standards and developing a highly skilled workforce, one can emerge as a global leader in this vital new realm.