Can Manufacturing Trust Govt.?

Monday, July 13, 2015 @ 05:07 PM gHale

By Gregory Hale
The argument for more governmental oversight of industrial security is to make everything more transparent and increase security, but yet private sector firms elect to hold on to information fearing government intrusion and thinking if the government can’t keep its own house in order, then why should the private sector entrust their secrets to Uncle Sam.

After the Office of Personnel Management (OPM) fiasco, can you blame the private sector?

Security Schism Front and Center
Cyber Incidents Down; Reporting Declines
Insider Attacks Rise, Unaware of Risk
Small Risk Converts to Big Problem

The most recent information found investigators now believe the data theft from OPM computer systems compromised sensitive personal information, including Social Security numbers, of roughly 21.5 million people from inside and outside the government, the government said.

Of these, hackers obtained information from the security clearance applications — known as SF-86’s – of 19.7 million people.

Another 1.8 million were non-applicants comprised mostly of spouses and partners of applicants.

OPM had initially estimated the hackers obtained the files of 4 million people with information listed on the servers containing personnel data of current and former government employees.

Last week, Director of National Intelligence James Clapper told CNN at an intelligence conference that China is the “leading suspect” in the OPM hack.

Just last week, ICS-CERT reported cyber incidents to are down for the first half of the fiscal year, but not to get too excited because it could be because fewer organizations are reporting attacks.

In the first half of FY 2015 (October 2014 through April 2015), ICS-CERT responded to 108 cyber incidents on the critical infrastructure in the United States, according to a report in the ICS-CERT Monitor. As in previous years, the energy sector continues to lead all others with the most reported incidents, with electricity at 13 incidents, petroleum, 9, natural gas, 4, and miscellaneous, 3, totaling 28 percent. The water and critical manufacturing sectors came in second and third with incidents reported with 19 percent and 18 percent respectively.

ICS-CERT and DHS remained concerned, though, with the lower percentage of reporting directly by asset owners, the Monitor report said. Just over one-quarter of the reported incidents to ICS-CERT are coming directly from owners and operators, while federal partners, researchers, and open source media are the primary sources of reported incidents. In several cases, internal DHS analysis of data obtained through our partnerships in the cyber security community helped to uncover new incidents.

While reporting incidents to ICS-CERT is voluntary, the government entity encourages critical infrastructure stakeholders to contact them for assistance in responding to a malicious cyber event.

“Many people are still wary about reporting for a number of reasons, including not having confidence in data being kept secure and/or anonymous by ICS-CERT or any third party and also due to an internal culture within companies who mark this information as confidential,” said Graham Speake, vice president and chief product architect at NexDefense, Inc. “Often there are more informal groups or personal contacts where this data is shared and people are more free with information here as they personally know and meet with each other.”

From what security experts are saying, attacks and incidents are not declining.

“The number of attacks are growing day by day especially to ICS operators,” said Dewan Chowdhury, founder and chief executive at security provider, MalCrawler. “I would agree with ICS-CERT that fewer people are reporting, and many of their cyber incidents are pertaining to their IT system and not their OT system.”

Unless, however, there is mandatory reporting, the industry appears to be keeping an arm’s length away from any of the government entities.

“The private sector has used their lobbying power (mainly the U.S. chamber of commerce) multiple times to ensure the federal government does not regulate cyber security for industry,” Chowdhury said. “We witnessed when the President signed an executive order for the NIST framework that is was only a voluntary program (due to the pressure from the lobbying group). The recent hack on OPM (the federal Office of Personnel Management) and other government agencies are used by industry to point how can the federal government regulate us when they themselves are being exploited day after day.

“Many state agencies have reporting requirements if a utility, for example, got hacked or suffered physical issues from a cyber attack. The industry will use this as a way to keep the federal government from breathing down their neck. I don’t see mandatory reporting in the other industry except for power as it is regulated and interconnected,” Chowdhury said.

“Regulation does force companies to report this information, but even then people will look to see what and when they need to report or if it is an event or an incident,” Speake said