By Benga Erinle, 3ETI
When the Stuxnet computer virus attacked the Iranian Natanz nuclear facility two years ago, it signaled cyberwarfare. Ten years ago terrorist threats were physical. Today’s threats are virtual from hackers, “hacktivists,” Internet extortionists and intelligence agencies.
These attackers aren’t lobbing grenades; they are sitting in armchairs 5,000 miles away sipping lattes as they unleash computer viruses that damage and disrupt control systems. And victims often don’t perceive assaults until it is too late.
Hacking against institutions that devote considerable resources to network security—the Pentagon, FBI and even cybersecurity corporations such as Symantec—is common. The Nuclear Regulatory Commission has indicated cyberattacks, rather than physical threats, pose the gravest danger to the nuclear power industry. The North American Electrical Reliability Corp. (NERC) established a critical infrastructure protection program to improve cybersecurity for the North American bulk power system.
Attackers, ironically, are exploiting the technology that has transformed control of critical infrastructure. Control systems, mostly based on supervisory control and data acquisition (SCADA) or other networked automation technologies, usually are based on computer networks—their Achilles heel, given that cyberwarriors can exploit weaknesses in network security to subvert and sabotage control systems. Worse, many control systems were designed and built when cyberwarfare was science fiction. Much must be done and can be done to defend against cyberattack.
First, there must be recognition that cybersecurity is a fact and must become an integral component of planning and acquisition from the outset. Cybersecurity is the protecting of interdependent network information systems, including Internet, telecommunications networks, critical infrastructure, computer systems, embedded processors and controllers. An easy way to remember it is CIA: confidentiality, integrity and availability. Confidentiality means only authorized users can understand transmitted information. Integrity ensures only authorized users can create, modify or destroy information within the system. And availability ensures the reliability and accessibility of systems for people who are authorized to use them.
Second, there must be a risk management process that defines what security level is necessary and balances security vs. operations. Yet we must avoid believing efficiency must be sacrificed for security. A well-designed, well-executed defensive system avoids that trade-off.
Third, no technique or technology exists that will ward off cyberattackers. This is why the Pentagon has embraced defense in depth (DID), which rests on a solid foundation of multiple defenses—from physical to application layers—to form an integrated defensive system. The goal is to complicate attack because terrorists aim for the softest target.
Finally, cybersecurity isn’t just technology. It is also policies, procedures and training. There must be a comprehensive approach that embraces all these dimensions. Industry, including product developers, systems integrators and plant operators, must work together to design and implement DID-based security when fielding products and creating security solutions that are robust and independently validated and protect all facets of networked control systems.
The 21st century will be an opportunity and challenge to critical infrastructure as cyberattack becomes a persistent threat. Those threats can be managed, but only by careful preparation.
Olugbenga “Benga” Erinle is president of 3e Technologies International (3eTI), an Ultra Electronics company and provider of government-validated, cybersecure network solutions that enable security for critical information systems, infrastructure protection and industrial automation. Erinle was appointed by NATO’s Civil-Military Planning and Support Section (CMPS) and the Euro-Atlantic Partnership Council (EAPC) as an Electronics Communications Expert in Critical Information Infrastructure Protection (CIIP). He also is a selected Subject Matter Expert (SME). He has an MBA from the University of Maryland, a bachelor’s degree in electrical engineering from Howard University and a bachelor’s degree in math from Bowie State University.