A Critical Time for Critical Infrastructure
What's a lifeline service? In the telecom industry, we used to say landline voice was such a service, but that's certainly no longer the case. Mobile or broadband Internet? To many people, those services seem like lifelines.
What about electricity, nuclear power, other forms of energy like oil and gas? Or transportation systems -- highways, railways and airline networks? And don't forget public safety -- everything from the local first responders to national homeland security and border management. There's little argument that all of the above are lifeline services as much as any telecom service is.
Yet, despite the extreme importance of these services, some of the world's critical infrastructure for enabling these lifeline services could be at risk for potentially devastating cyber security attacks. We aren't necessarily talking about hacker schemes targeting the IT systems of the companies operating this infrastructure the way Target and Sony have suffered embarrassing breaches.
That's an issue, but even more concerning is the possibility of highly organized, malicious attacks intended to disable the operational technology (OT) frameworks -- communications infrastructure, supervisory control and data acquisition (SCADA) systems, industrial control devices, sensors and other gear -- of critical infrastructure operators.
If you don't think it's happened before consider that around the time of last year's Sony hack, there was a much less publicized cyberattack on a nuclear power plant in South Korea. The famed Stuxnet virus, which affected nuclear power plants in Iran and Russia (never mind for this discussion who perpetrated it) is another recent example.
The threat affects every society on the planet, regardless of how secure you are with your own nation's place in the pecking order of global affairs, or how confident you are in your company's ability to protect its own infrastructure.
A recent report from Intel Security and the Aspen Homeland Security Program suggests that operators of critical infrastructure might be over-confident in their ability to defend against attacks and misunderstand the scale of the current threat environment.
In North America, this encroaching reality is one of the driving forces behind the North American Electric Reliability Corporation's (NERC) Critical Infrastructure Protection requirements. NERC CIP Version 5, which calls for utilities of all sizes to meet new cyber security protection requirements and has a compliance deadline of April 2016, less than nine months away.
All of this goes a long way to explain why Light Reading has recently started covering the critical infrastructure market. It's a sector approaching a critical juncture. (Sorry to overuse the "c" word, but it's more than apt.)
Many operators of critical infrastructure traditionally have a conservative attitude about spending on new technology, according to vendors that have worked with them. Even when given an end-of-life notice on a piece of equipment, they sometimes spend more time stocking up on spares and replacements than they do planning upgrades to the latest and greatest gear.
The drive to meet the NERC CIP v.5 requirements looks a lot like a turning point in the spending and upgrade practices of critical infrastructure operators. The rapid evolution of cyber security threats means they need to invest in their OT networks.
Along with the implementation of cyber security solutions, many of them are in a position to replace or modify traditional SCADA frameworks with with IP-based and mobile M2M connectivity. That's good news for many technology suppliers -- not only the GEs of the world, as you might imagine, but also an increasing number of traditional telecom vendors than have recognized the critical infrastructure market opportunity.
This period of critical infrastructure upgrades promises to be an interesting, exciting and possibly contentious time. Companies that don’t meet the NERC CIP v.5 requirements on time could face stiff fines. The clock is ticking -- toward next year's NERC deadline for sure -- but also potentially toward a growing cyber security threat that will be hard to stop with antiquated attitudes and technologies.
— Dan O'Shea, Managing Editor, Light Reading