Critical infrastructure risks in the U.S. still high

This post is also available in: עברית (Hebrew)

Cyber attacks on critical infrastructure (CI) in the U.S. is up — way up, particularly in the energy sector. The Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reported earlier this year that there were a third more cyber incidents (111) reported by the energy sector, in the six-month reporting period ending in May, than in the previous 12 months (81).

But so far, the power grid, transportation, water and other control systems dont seem to be going down in any catastrophic way. And an executive order this past February from President Obama calls for frameworks for the protection of CI to be implemented by February 2014.

Does that mean the multiple warnings about catastrophic damage to U.S. industrial control systems (ICS) from cyber attacks are overblown?

There is still debate about that among experts. As some regularly point out, regions of the nation have survived major blackouts in the past, including the blackout and other associated damage to the northeast from Superstorm Sandy just months ago, in October 2012. Given that, surely the U.S. can survive a major CI cyber attack.

Bruce Schneier, author, security guru and chief security technology officer at BT has said more than once, here, that while the risks of damage to CI are real and could be significant, they are not at the catastrophic act-of-war level. “Throughout history, the definition of a ‘major war’ has involved casualties in the hundreds of thousands. That means dead people,” he has said.

iHLS – Israel Homeland Security

Jason Healey, director of the Cyber Statecraft Initiative of the Atlantic Council, noted that, “government leaders have warned of a ‘digital Pearl Harbor’ for 20 of the 70 years since the actual Pearl Harbor, so clearly these things are more difficult than we normally think. It is easy to attack something and knock it down, but really difficult to keep it down over time.”

But then there is Joe Weiss, managing partner at Applied Control Solutions, who has been pointing out for years that power grid equipment supports just about every critical service: water, oil and gas systems, manufacturing, telecommunications, transportation and banking.

More significant, Weiss said, is that many of the large components of that grid are not made in the U.S. and cannot be replaced in days or weeks. “A targeted attack against this equipment can cause outages of up to nine to 18 months or more,” he said.

That echoes James Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS), who told CBS’s “60 Minutes” in November 2009, that major electrical generators require a lead time of three or four months just to order them.