From "What" to "What's"
BRIAN PHILLIPS
© 2008 FrontLine Security (Vol 3, No 3)

So often, for those of us who deal daily with the vulnerability of our critical infrastructures, what we do for a living feels like selling insurance to people who are just trying to survive day to day.

Yet, like it or not, we are the leaders and therefore the protectors of national and international critical infrastructures. Communications and Information Technology (IT) ­networks are major players in keeping the world right side up. But others, like energy, transportation and public safety are inextricably linked to the future of our communities, whether that community is Portage La Prairie or the entire planet.

As these critical infrastructures (CIs) become more pervasive and interdependent, we are indeed compelled to shift the focus from reactive – consequence ­management and response – to proactive prevention and protection. To move from “what if” to “what’s best.”

Instead of trying to anticipate everything that could happen to our vital assets, it’s time to take a look at what we have to protect and then harden that. In that way, we become less similar to insurance agents, and more pertinent business enablers.

It begins with a new understanding that those of us in the CI protection club must act more like family, recognizing that a competitive and secretive attitude will hamper response and recovery when it is most needed. Like family, we must acknowledge our mutual interests, common experience and increasing interdependence.

10 traditional CIs
There are 10 accepted Critical Infra­structure sectors in Canada: Communi­cations & Information Tech­nology, Energy & Utilities, Water, Finance, Transportation, Safety, Food, Government, Healthcare and Manufacturing.

While all are deeply interconnected, at another level, some – such as Com­mu­ni­cations and IT – support everything else. Their survivability is the cornerstone of a successful first response and viable recovery from any emergency. All other CIs depend on them, and their failure can lead to a cascade of chaos affecting every area of our society.

Emerging CIs
The case can be made that two additional CIs are emerging: the Internet; and SCADA (Supervisory Control and Data Acquisition).

The Internet is much more than simply a component of Communications and IT. It’s a venue for the best and the worst of human nature. When it comes to malware and subversion, we’ve seen a rapid evolution from script kiddies, hackers and social scammers right up to cyber terrorists and state-sponsored Black Hatters.

In fact, cyber crime has surpassed the illegal drug trade as the #1 crime in Canada – and 70 percent of victims don’t even know they’ve been had. Internet child pornography is now a $2.6 billion cancer in our society.

Canada is ranked 9th as an international cyber target, with Canadians standing a better chance online than on the street of being a victim of crime. Yet, of 62,000 public police in Canada, only 245 are fighting cyber crime, while 18 million Canadians are spending $50 billion a year online – a number that will skyrocket as the use of commercial sites like Amazon.com and EBay continues to expand.

Cyber security is more than just protecting against viruses and worms. It also encompasses information assurance in enterprise computing. This means controlling access to information, managing loss of data and security associated with IT, and supervising human information-handling processes.

New Vulnerabilities
SCADA – sometimes called Distributed Control Systems or DCS – is emerging as yet another or 12th CI sector. It’s found in just about everything: manufacturing, transportation systems, postal sorting machines, security surveillance systems, food production, drug manufacturing, water and water treatment, control of dams, telecommunications networks, airplanes and ships.

In the energy sector, for instance, the 2003 blackout was traced to a SCADA failure to respond properly to a sagging hydro wire shorting out on a tree branch. Another example – 75% of the world’s gas and oil pipelines longer than 25 km are controlled by SCADA systems that run parallel to the physical infrastructures. What a highly inviting target for any terrorist or disgruntled employee, not to mention its vulnerability to random events such as a natural disaster, general systems failure or human error!

Size and reach add complexity.

Also, we must acknowledge that each sector is so vast that it’s impractical if not impossible to protect every vital component. As well, stove-piped organizational structures are designed to hoard information, seriously hampering the sharing and correlation of information necessary in a crisis. Then there is the question of who’s in charge since all of the governmental, private sector and regulatory groups expect and demand influence.

Understanding complex technologies well enough to design effective strategies and policies is a major challenge. Add to this the fact that subtle interdependencies exist between CIs. These produce weak points that are often not apparent until the whole system is under stress.

Focus Resources
We must, therefore, focus resources where they will do the most good. The Internet, for instance, has about 100 critical nodes at its core – 13 root servers, 13 gTLD servers, 26 Network Access Points and about 50 top e-commerce sites.

So which is easier? Protecting the 650 million computers in the world, or hardening the 100 critical computers that control everything? Deny unauthorized access to these hubs and viruses and worms wouldn’t reach the critical mass necessary to become an epidemic.

In that sense, the Communications sector becomes the Keeper of the Gate. But the sector must work in close partnership with all the other CIs to prevent a cascading crisis that could rock everyone. Bell, for instance, runs constant surveillance and trend analyses. If there is any “pinging” that attacks are imminent, the company notifies all relevant parties immediately.

Unified Communications
First we must look internally for disgruntled employees with access to basic software systems. SCADA systems are so pervasive and so interconnected that a single worker motivated by a grudge can do more damage from his den than can a whole crew of terrorists running amok in an unguarded facility.

Just as the Communications sector has to harden its telecom hotels, other sectors must so secure their networks. We can’t just play “What If?” while waiting around for something to break or for someone to arrest. We must do “What’s Best” now, by hardening with unified cyber-security and communications those vital elements that are exposed to threats.

That has been at the heart of Bell’s approach to the 2010 Olympics in Vancouver as it addresses the challenge of securing a global sports event while ensuring participants feel relaxed and free.

With three billion people watching, the Games could become the ultimate terrorist prize, not to mention natural challenges such as the rock slide on the Sea to Sky Highway just seen this summer.

Bell’s strategy keys on Unified Communications – the immediate and complete integration of video and other sensory data. First Responders can be alerted immediately. Remote digital systems can greatly enhance rescue and recovery operations. Centralized control can also have dramatic impact on the outcome of crisis events. Redundant systems provide constant back-up, with layering of physical and electronic security adding fail-safe depth where it’s needed.

All this and more is essential for an event where all eyes will be on Canada.

Productive Collaboration
Regardless of the challenge, the first line of defence also becomes the first line of offence – a secure IP communications infrastructure. But success also requires the ­collective collaboration of all sorts of local, regional, provincial, federal, international, law enforcement, security, public safety, corporate, media and countless other players.

It’s about rising to the occasion, as we did in the blackout of 2003, coming together in a critical mass that produced the terrific amount of collective and effective collaboration necessary to respond effectively to that crisis.

What we need now – not just in Vancouver and Whistler but to protect all our Critical Infrastructures – is to rise to the occasion before the occasion arises. It just makes good business sense to do so. Studies show that a solid emergency preparedness program and public safety plan yields a return on investment of 400-700%.

It all starts with closer collaboration among the people charged with securing critical infrastructures. Together we need to create a roadmap that integrates security within the very design, not only of our own sectors but also at every point of contact with other CIs. That roadmap would emerge from an external audit that answers the right questions, such as:

  • Does your organization dedicate resources to security?
  • Is final responsibility for implementation of security placed at the executive level?
  • Are security policies implemented enterprise-wide, including supply and partner chains?

Such questions go on and on. But as we answer them together, we reach critical mass in the protection of our Critical Infrastructures and we move from a defensive “What If” attitude to a proactive “What’s Best” stance that ensures the profitability of our businesses while dramatically strengthening the security of our broader economy and communities.

====
Brian Phillips is Senior Security Consultant with Bell Canada in Calgary. This article is adapted from a presentation in Calgary to the 1st Annual Cyber Security Conference – Critical Infrastructure Protection for Energy and Communications – September 9, 2008.
© FrontLine Security 2008

RELATED LINKS

Comments

CLICK HERE TO COMMENT ON THIS ARTICLE