One thing for sure. An extra big helping of what is failing everywhere else is not going to work for critical infrastructure anyway.

I agree that a lot needs to be done to protect our nations CI.

But it’s more than just operators failing to install patches when they become available.

A great deal of the “critical infrastructure” is managed by hardware and software that’s over 25 years old.

And they were built with our understanding of the threat environment 25 years ago. The networking protocols they use have implicit trust, and no verification, the hardware was not meant to be exposed to direct attack, the devices have minimal hardware capabilities, most don’t require passwords to access… You get the idea.

And updating some of those systems (modernizing) is a non-trivial task.

For example, to update a critical system at a large-scale power generator comes at a revenue cost of upwards of $1,000,000/day of downtime.

And often, those being required to implement large-scale changes are not in the position to increase their prices because of regulatory requirements.

Next, you have the situation (and this is where I think the most attention should be paid going forward) where the producers of hardware and software that run the CI are absolutely CLUELESS about security. “25 years ago, we sold you this sweet system, now, here’s the same system, but this time it’s WIRELESS enabled!!!”

Moving our nation’s critical infrastructure from where it is now to where it needs to be will not happen over night. But as mentioned by Jerry, NERC has a long-term roadmap that seems very attainable, and the NRC is about to issue a formalized Cyber Security rule for Nuclear. The energy sector is moving that direction.

Water, gas, and other critical infrastructure components will likely be next.

Where do I think the biggest changes can be made?

The most important thing I’d like to see happen is for the federal government to say: Every new system (software/hardware) we buy must meet the following performance and security requirements out of the box… And list em out.

That’ll force slackers like Microsoft to quit pushing out systems that have 15 year old bugs in them :/ Microsoft “Secure Coding Initiative” is a frigging JOKE. Maybe it’s good in principle, but MS08-067? WTF.

And SCADA implementers might chose to write their systems on secure operating systems, like OpenBSD, rather than on Winblows/Linux, so they can leverage the built-in security features of the OS to increase their own product’s security.

Bill

I deliberately didn’t reference anything in particular. It was something that was rattling around in my brain pan for a while. As to NERC I’m very well aware of them and the great work that they are trying to accomplish. The problem is that only pertains to the electricity market. I’m talking about the state of critical infrastructure as a whole.

Great comment. thanks for chiming in.

cheers,
Dave

An excellent point. As with any situation there will parties on both sides of the issue and yes, there are most definitely owners/operators that use the patching as an excuse. It’s unfortunate and it has to come to an end. While there might be a hart time finding a solution I think it is incumbent on us as a whole to dig in our heels and starting doing something about it.

The journey of a thousand steps…yadda yadda yadda.

Thanks for the comment.

cheers,
Dave

Theres blame on both sides, and as much as I think it might take the government paying more attention to fix issues like these and others like it, I believe that while it does reach a workable solution it is often the least optimal way of getting there and is seldom the best solution.