Despite threats of infrastructure attacks, scant attention was paid to control systems during a global security conference.
As online attacks increase in severity and reach, targeting everyone from Google to the Pentagon, leading security experts and government officials met last week in Dallas at the EastWest Institute's first annual Cybersecurity Summit.
The goal of the conference: to find common solutions to cybercrime and other online attacks, which of course respect no national boundaries.
Step one, then, was to introduce policymakers and experts from around the world, to begin creating the relationships and transparency needed to make this happen. "How can you do partnerships with private industry, how can you do it with other governments when everything's behind a veil of secrecy?" said White House Cybersecurity Coordinator Howard Schmidt.
The next step, however, will be more challenging. "Breakthrough solutions will require the effective integration of technical, business, legal, defense and international policy competencies on a level that has not happened so far," wrote attendee Ikram Sehgal, a defense and political analyst and EastWest board member, in The News, a Pakistani newspaper. "Nations are thinking too parochially about their online security to collaborate on crafting global cyber regulations."
Top of the cybersecurity agenda for many governments: how to prevent "nightmare" infrastructure attacks against "electricity, power grids, transportation, airplanes, water supply, finance, the banking system [and] the health system," said Patrick Pailloux, director general of the French Network and Information Security Agency. His biggest nightmare? "That we don't have enough time to prepare us for the nightmares."
Such infrastructure attacks are ongoing, and at least in the United States, on the increase, said retired Air Force lieutenant-general Harry Raduege, now chairman of Deloitte's Center for Cyber Innovation. "We have experienced a number of attacks against the financial sector, on the power grid and against our defense capability,"
Curiously, given the infrastructure worries, of the roughly 450 invited attendees present, only one hailed from the industrial control systems community, said critical infrastructure security expert Joe Weiss. "I was the one. That's absolutely typical -- there wasn't one single electric utility there, not even the one headquartered in Dallas, and there wasn't one single control system supplier."
At issue -- for a meeting intended to find global solutions to information security challenges -- is the fact that safeguarding control systems against attackers requires a different approach to securing PCs or networks. For starters, Windows-based security products won't help. "All the devices that sense things -- temperature, pressure, flow and things like that -- are not Windows, those are proprietary, real-time or embedded, and there's no security there." Furthermore, seemingly rote IT activities, like installing antivirus on a control system, can actually create a denial of service. "Who needs hackers?" he said.
Infrastructure defenders, stay tuned: After bringing the above disconnect to the summit organizations' attention, Weiss received an assignment: to get the control systems community involved in next year's Cybersecurity Summit in London.
Security Job #1 For FedsThe 2014 InformationWeek Government IT Priorities Survey shows federal IT pros care about security - itís rated as very important by 69% of respondents, 30 percentage points ahead of the No. 2 priority, disaster recovery. Will the upcoming NIST cyber-security framework help manage risk?