You have heard me say before, if you want a secure network, unplug it. Right? Do we really need our critical infrastructure on the public internet? Can they not have a private network - sure they can. Many organizations are not taking Information Technology (IT) security serious.
Computer hackers have begun targeting power plants and other critical operations around the world in bold new efforts to seize control of them, setting off a scramble to shore up aging, vulnerable systems. You know, those items that come up every year during the budget process, that we put off another year..........
Cyber criminals have long tried, at times successfully, to break into vital networks and power systems. But last month, experts for the first time discovered a malicious computer code _ called a worm _ specifically created to take over systems that control the inner workings of industrial plants.
In response to the growing threat, the Department of Homeland Security has begun building specialized teams that can respond quickly to cyber emergencies at industrial facilities across the country. In addition, we need to start holding corporation internet users accountable. If you plug in - you be secure. If you can't pass the Homeland Cyber Security Audit - you are unplugged. Simple isn't it?
As much as 85 percent of the nation's critical infrastructure is owned and operated by private companies, ranging from nuclear and electric power plants to transportation and manufacturing systems. Many of the new attacks have occurred overseas, but the latest episode magnified worries about the security of plants in the U.S.
"This type of malicious code and others we've seen recently are actually attacking the physical components, the devices that open doors, close doors, build cars and open gates," said Sean McGurk, director of control systems security for Homeland Security. "They're not just going after the ones and zeros (of a computer code), they're going after the devices that actually produce or conduct physical processes." I think that is crucial point, don't you?
Officials have yet to point to any operating system that has been compromised by the latest computer worm. But cyber experts are concerned that attacks on industrial systems are evolving.
In the past, it was not unusual to see hackers infiltrate corporate networks, breaking in through gaps and stealing or manipulating data. The intrusions, at times, could trigger plant shutdowns. The threat began to escalate last year, with cyber criminals exploiting weaknesses in systems that control what the industries do. What about HealthCare? Patient data secure? Key life support systems that sit on the network and report to the nurse station - secure?
The latest computer worm, dubbed Stuxnet, was an even more alarming progression. Now hackers are creating codes to actually take over the critical systems.
In many cases, operating systems at power plants and other critical infrastructure are decades old. Sometimes they are not completely separated from other computer networks used by companies to run administrative systems or even access the Internet. Who is being held accountable? What about annual audits? Vulnerability scans? Seems to me there should be some wake up calls here.
Those links between the administrative networks and the control systems provide gateways for hackers to insert malicious codes, viruses or worms into the programs that operate the plants. There needs to be appropriate network design, check points, monitoring and prevention.
I propose to you that the wake up call will not happen till we see major power grid failure due to a computer hack from a foreign interest. Computer security has not been taken serious, it is always a budget line item that is cut, and there is no one being held accountable. If a corporate or enterprise network compromised - there needs to be an investigation and determination of what happened, and why. To many times we sweep these under the rug, hope it will go away to save face, and hackers are benefiting. If your company has a network, plugs into the internet backbone - you better have security, monitoring and a response team. If you can not pass a security check - random check, you get unplugged. You are compromising all organizations.
Security is everyone's responsibility!
Scott Arnett
scott.arnett@charter.net
About Me
- Scott Arnett
- Scott Arnett is an Information Technology & Security Professional Executive with over 30 years experience in IT. Scott has worked in various industries such as health care, insurance, manufacturing, broadcast, printing, and consulting and in enterprises ranging in size from $50M to $20B in revenue. Scott’s experience encompasses the following areas of specialization: Leadership, Strategy, Architecture, Business Partnership & Acumen, Process Management, Infrastructure and Security. With his broad understanding of technology and his ability to communicate successfully with both Executives and Technical Specialists, Scott has been consistently recognized as someone who not only can "Connect the Dots", but who can also create a workable solution. Scott is equally comfortable playing technical, project management/leadership and organizational leadership roles through experience gained throughout his career. Scott has previously acted in the role of CIO, CTO, and VP of IT, successfully built 9 data centers across the country, and is expert in understanding ITIL, PCI Compliance, SOX, HIPAA, FERPA, FRCP and COBIT.
No comments:
Post a Comment