A recent report [PDF] from the National Infrastructure Advisory Council (NIAC), based on a review of hundreds of studies and interviews with 38 industry experts, warned that the U.S. government and private sector are falling short in defending critical systems from aggressive cyber attacks.
“The challenges the NIAC identified are well-known and reflected in study after study,” the report states. “There is a narrow and fleeting window of opportunity before a watershed, 9/11-level cyber attack to organize effectively and take bold action.”
The report urges the U.S. government to take the following key steps:
- Establish separate, secure communications networks specifically designated for the most critical cyber networks, including “dark fiber” networks for critical control system traffic and reserved spectrum for backup communications during emergencies.
- Facilitate a private-sector-led pilot of machine-to-machine information sharing technologies, led by the electricity and financial services sectors, to test public-private and company-to-company information sharing of cyber threats at network speeds.
- Identify best-in-class scanning tools and assessment practices, and work with owners and operators of the most critical networks to scan and sanitize their systems on a voluntary basis.
- Strengthen the capabilities of today’s cyber workforce by sponsoring a public-private expert exchange program.
- Establish a set of limited time, outcome-based market incentives that encourage owners and operators to upgrade cyber infrastructure, invest in state-of-the-art technologies, and meet industry standards or best practices.
- Streamline and significantly expedite the security clearance process for owners of the nation’s most critical cyber assets, and expedite the siting, availability, and access of sensitive compartmented information facilities (SCIFs) to ensure cleared owners and operators can access secure facilities within one hour of a major threat or incident.
- Establish clear protocols to rapidly declassify cyber threat information and proactively share it with owners and operators of critical infrastructure, whose actions may provide the nation’s front line of defense against major cyber attacks.
- Pilot an operational task force of experts in government and the electricity, finance, and communications industries — led by the executives who can direct priorities and marshal resources — to take decisive action on the nation’s top cyber needs with the speed and agility required by escalating cyber threats.
- Use the national-level GridEx IV exercise in November 2017 to test the detailed execution of federal authorities and capabilities during a cyber incident, and identify and assign agency-specific recommendations to coordinate and clarify the federal government’s unclear response actions.
- Establish an optimum cybersecurity governance approach to direct and coordinate the cyber defense of the nation, aligning resources and marshaling expertise from across federal agencies.
The report also urges National Security Advisor H.R. McMaster to convene a meeting of senior government officials within six months to address any barriers to implementing these recommendations and to identify immediate next steps to take.
A recent SANS Institute survey [PDF] of industrial control systems (ICS) security practitioners found that while 69 percent of respondents said they view threats to ICS systems as “high” or “severe/critical,” 40 percent lack visibility or sufficient supporting intelligence into their ICS networks.
Still, just 46 percent of respondents regularly apply vendor-validated patches, and 12 percent neither patch nor layer controls around critical control system assets.
“However we measure things, the security risks to ICS are rising,” the report states.
Respondents said their top priorities for the next 12 months are to perform security assessments or audits of control systems and control system networks (cited by 36 percent of respondents), to increase visibility into control system cyber assets and configurations (36 percent), and to increase security awareness training for all personnel with access to control systems and control system networks (28 percent).
A separate Kaspersky Lab survey of 359 industrial cyber security practitioners worldwide found that found that 54 percent of respondents have experienced at least one cyber attack in the last 12 months, and 21 percent have experienced at least two.
Still, 31 percent of respondents said ICS cyber security is a low priority for senior management.
When asked to identify their top concerns regarding cyber security incidents, the leading response was conventional malware and virus outbreaks (56 percent), followed by threats from third parties (44 percent) and sabotage or other intentional physical damage by external actors (41 percent).
“As cyber attacks and the growing connected environments of industrial organizations evolve, ICS organizations will continue to face new challenges, and it’s essential that their security strategies are reassessed now before it is too late,” Kaspersky Lab senior researcher Clint Bodungen said in a statement.