What about the threat to public safety? How do we define critical infrastructure? Information technology networks containing personal and financial data are certainly considered critical infrastructure, but we must also consider SCADA and Industrial Control Systems (ICS) as equally important critical infrastructure that need to be secured from cyber attack as well. Although there are several references to SCADA and ICS the study does not emphasize enough however, that these control systems control physical processes in real time; the very systems at the heart of the electric grid, controlling processing operations in chemical plants and oil refineries, controlling access to our water supplies and our transportation systems. Although the report conclusions are largely driven in response to an attack on critical "information" infrastructure, allowing access with malicious intent to critical "operational" infrastructure can cause significant threats to public safety such as environmental damage, disruptions in power, energy and transportation, and even loss of life. Respondents to the study acknowledge that more than three quarters of those with responsibilities for such systems reported that they were connected to the internet or some other IP network, and just under half of those admitted that this created an "unresolved security issue." This increased connection between IP networks and SCADA/ICS systems provides an open gateway for an attack on one critical infrastructure network (information technology for example) to easily transverse to the operational systems and vice versa.

Who is accountable to remedy this "unresolved security issue"? The report states as well that there is a lack of awareness and sense of urgency. The number one barrier is the security folks who haven’t been able to communicate the urgency well enough and they haven’t actually been able to persuade the decision makers of the reality of the threat - "a lot depends on your position within the organization…typically if your CSO does not report to the CEO, he is probably too deep within the organization." The good news is that nearly half, 46 percent, said their CISO reported directly to the chief executive officer. We believe that accountability for the security of operational infrastructure needs to be of equal importance as the IT infrastructure and needs to be first and foremost at the most senior levels of an organization. We also believe that it needs to be addressed at the highest levels of our government as well. Will the new Cyber Czar be as effective as he should be when he doesn’t report to the President?

What's your opinion? Email us at: opinion@industrialdefender.com

Related Materials