{"id":13640,"date":"2018-10-22T08:00:02","date_gmt":"2018-10-22T16:00:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/10\/22\/news-7407\/"},"modified":"2018-10-22T08:00:02","modified_gmt":"2018-10-22T16:00:02","slug":"news-7407","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/10\/22\/news-7407\/","title":{"rendered":"Safeguarding the Nation\u2019s Critical Infrastructure"},"content":{"rendered":"

Credit to Author: William “Bill” Malik (CISA VP Infrastructure Strategies)| Date: Mon, 22 Oct 2018 14:43:06 +0000<\/strong><\/p>\n

\"\"<\/p>\n

In May of 1998, President Clinton issued Presidential Decision Directive 63: Protecting America\u2019s Critical Infrastructures. This Directive proposed steps to enact the recommendations of the President\u2019s Commission on Critical Infrastructure Protection, published in October 1997.<\/p>\n

Twenty years on, how are things going? The US Federal government has identified critical infrastructure sectors and associated each with a lead agency. The US-CERT (United States Computer Emergency Readiness Team) coordinates the Federal CIO Council, Government Forum or Incident Response and Security Teams (GFIRST), and the National Council of Information Sharing Analysis Centers (ISAC Council).<\/p>\n

What\u2019s next? Regulations are still far behind the realities of information security, and the challenges are becoming more serious. IT\/OT convergence exposes weaknesses in systems that originally ran in isolated networks. Waiting for IoT or Industrial IoT vendors to voluntarily improve product security hasn\u2019t worked since \u201cC2 in \u201992!\u201d as Bruce Schneier puts it, the question now is not regulation vs. no regulation, but good regulation vs. bad regulation.<\/p>\n

\"\"<\/p>\n

The most reported critical infrastructure vulnerabilities concern the power grid. The BlackEnergy vulnerability allows hackers to destroy generators by briefly interrupting their connection with the grid. After the generator falls out of phase, Aurora malware re-establishes the connection, and the generator rips itself apart. Fixing this requires updating control circuits on every generator \u2013 a massive undertaking. The US has more than 8,000 power plants. Those using conventional fuels may be vulnerable.<\/p>\n

Another widely reported vulnerability concerns insecure electronic voting technology. Recent events have shown that such tools are too easy to disrupt maliciously. Deploying a secure, encrypted voting network would involve updating technology at more than 120,000 polling places, another massive expenditure.<\/p>\n

Hospitals remain a significant target. Connected healthcare systems expose Operational Technology to IT vulnerabilities. Remediation is difficult as (US-based) hospital technology is FDA certified, and the certification process can take years. Changing the software in a certified device invalidates it. So health care technology software is five or more years out of date at best. There are more than 5,000 hospitals supporting nearly 900,000 patient beds in the US.<\/p>\n

Cheaper IoT means non-IT-certified solutions are popping up. One hospital improved patient care and nurse productivity by buying inexpensive sensor pads for hospital beds in one ward. For about $60 each, they put a pad under the mattress cover. The pad notified the nurses\u2019 station if the patient moved or if the dampness changed. That alert would bring the nurse to the patient\u2019s bedside quickly. Rather than walking rounds, the nurses could work on charts, prep medicines, and handle paperwork. The informal experiment was so successful that the rest of the hospital followed suit, and spent about $120,000 to instrument each of the 2,000 beds. Then the head of nursing went to the head of IT and asked them to take over management of this configuration. The pads use Bluetooth, unencrypted, and were invisible to IT\u2019s network monitoring. If the nurses had asked for fully certified intelligent patient beds the cost would have been upwards of $12,000,000 and never would have been approved. This will happen to every industry as IoT applications become affordable.<\/p>\n

Supply chain vulnerabilities are growing. The attacks that can harm commerce through ports include \u201cmeaconing\u201d \u2013 sending fake GPS signals to route a ship incorrectly, ransomware \u2013 which can cripple the software managing the loading and unloading of ships and trucks, and corrupting container loading stowage software to make ships unbalanced. Since each port in the world is different, mitigating these attacks will require detailed analysis of each and yield different recommendations.<\/p>\n

Today\u2019s critical infrastructure vulnerability is better than it was 20 years ago, but far from adequate. We have identified the potential target areas, and we have some sense of what has to happen to reduce the consequences of an attack. But we do not have the regulatory mandate to drive compliance, and voluntary measures have not, and will not, work. There is much that needs to be done.<\/p>\n

References: Presidential Decision Directive 63 https:\/\/fas.org\/irp\/offdocs\/pdd\/pdd-63.htm<\/a><\/p>\n

US-CERT https:\/\/www.us-cert.gov\/Government-Collaboration-Groups-and-Efforts<\/a><\/p>\n

Cryptogram, Bruce Schneier, Sept 15 2018, https:\/\/www.schneier.com\/crypto-gram\/<\/a><\/p>\n

What do you think? Let me know by commenting below, or reach me @WilliamMalikTM<\/span>\u00a0<\/a>.<\/p>\n

The post Safeguarding the Nation\u2019s Critical Infrastructure<\/a> appeared first on <\/a>.<\/p>\n

http:\/\/feeds.trendmicro.com\/TrendMicroSimplySecurity<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: William “Bill” Malik (CISA VP Infrastructure Strategies)| Date: Mon, 22 Oct 2018 14:43:06 +0000<\/strong><\/p>\n

\"\"<\/p>\n

In May of 1998, President Clinton issued Presidential Decision Directive 63: Protecting America\u2019s Critical Infrastructures. This Directive proposed steps to enact the recommendations of the President\u2019s Commission on Critical Infrastructure Protection, published in October 1997. Twenty years on, how are things going? The US Federal government has identified critical infrastructure sectors and associated each with…<\/p>\n

The post Safeguarding the Nation\u2019s Critical Infrastructure<\/a> appeared first on <\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10413],"tags":[10420,11231,714,10752],"class_list":["post-13640","post","type-post","status-publish","format-standard","hentry","category-security","category-trendmicro","tag-critical-infrastructure","tag-internet-safety","tag-security","tag-vulnerabilities"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13640","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=13640"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13640\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=13640"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=13640"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=13640"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}