Security Schism Front and Center

Wednesday, July 8, 2015 @ 05:07 PM gHale

By Gregory Hale
Security enlightenment hinges on trust, communication and sharing of information and it just seems there are individual silos preventing the government and the private sector from connecting.

While the good news is reported cyber incidents to ICS-CERT are down for the first half of the fiscal year, ICS-CERT and DHS remain concerned because they don’t think there is a decline in incidents, but rather, fewer organizations are reporting attacks – even though there has been a concerted effort on the government’s part to try and allow for greater connectivity between the private and public sectors.

In the first half of FY 2015 (October 2014 through April 2015), ICS-CERT responded to 108 cyber incidents on the critical infrastructure in the United States, according to a report in the ICS-CERT Monitor. As in previous years, the energy sector continues to lead all others with the most reported incidents.

Cyber Incidents Down; Reporting Declines
Insider Attacks Rise, Unaware of Risk
Small Risk Converts to Big Problem
Targeted Attacks on Rise: Report

There is a lower percentage of reporting directly by asset owners, the Monitor report said. Just over one-quarter of the reported incidents to ICS-CERT are coming directly from owners and operators, while federal partners, researchers, and open source media are the primary sources of reported incidents. In several cases, internal DHS analysis of data obtained through our partnerships in the cyber security community helped to uncover new incidents.

“From my knowledge of the industry, the number of attacks appear to be the same or greater than in previous years,” said Graham Speake, vice president and chief product architect at NexDefense, Inc. “Many people are still wary about reporting for a number of reasons, including not having confidence in data being kept secure and/or anonymous by ICS-CERT or any third party and also due to an internal culture within companies who mark this information as confidential. Often there are more informal groups or personal contacts where this data is shared and people are more free with information here as they personally know and meet with each other.”

Attacks on Rise
From what security experts are saying, attacks and incidents are not declining.

“The number of attacks are growing day by day especially to ICS operators,” said Dewan Chowdhury, founder and chief executive at security provider, MalCrawler. “I would agree with ICS-CERT that fewer people are reporting, and many of their cyber incidents are pertaining to their IT system and not their OT system.”

Unless, however, there is mandatory reporting, the industry appears to be keeping an arm’s length away from any of the government entities.

“The private sector has used their lobbying power (mainly the U.S. chamber of commerce) multiple times to ensure the federal government does not regulate cyber security for industry,” Chowdhury said. “We witnessed when the President signed an executive order for the NIST framework that is was only a voluntary program (due to the pressure from the lobbying group). The recent hack on OPM (the federal Office of Personnel Management) and other government agencies are used by industry to point how can the federal government regulate us when they themselves are being exploited day after day.

“Many state agencies have reporting requirements if a utility, for example, got hacked or suffered physical issues from a cyber attack. The industry will use this as a way to keep the federal government from breathing down their neck. I don’t see mandatory reporting in the other industry except for power as it is regulated and interconnected,” Chowdhury said.

“Regulation does force companies to report this information, but even then people will look to see what and when they need to report or if it is an event or an incident,” Speake said

“There is a lot of variability in incidents that is hard to explain,” said John Cusimano, director of industrial cybersecurity at aeSolutions. “It is up one year and down the next. Some sectors it is mandatory to report incidents, but they don’t get shared. The numbers are such a small subset of what is really going on. Incident reports are still just immature. Some of it falls into what qualifies as an incident. There are no standards on what is considered an incident or not.”

Awareness Levels
Government involvement is one thing, but industry awareness is through the roof.

“I don’t see customers slowing down in terms of cyber security,” Cusimano said. “That is on the rise. Since the NIST framework there has been a general change in the industry. Before cyber security was shepherded by various IT groups in the company just to stay ahead of the curve. Since the framework, there has been an increase in public cyber attacks, not necessarily ICS related, like Target, Home Depot and Sony. Between the two – the framework and the highly publicized breaches with the result being the Target CEO and CIO lost their jobs — it has caught the eye of the board of directors.”

“We work quite a bit in oil and gas, and even with the slow market, they are not slowing down where they want to understand the risk,” Cusimano said.

In the end, it is all about communication and trust where security professionals can learn and share information so they can work toward keeping their systems up and running.

“The benefits of open and honest reporting still needs to be feed down to companies and also more outreach to inform companies on how they can report incidents,” Speake said. “Through my SANS work as well as meeting customers, I often meet with people who do not know that much (or anything) about ICS-CERT and would not report an incident due to that lack of knowledge.

“It is interesting to compare the figures from ICS-CERT with that from the recent SANS survey where 34 percent of respondents reported 2 or more breaches in the last year and 15 percent needing more than a month to find out they have been breached. With just over 300 respondents, over 100 therefore admitted to having a breach in the last 12 months which is nearly the figure ICS-CERT has, but there are many, many more companies that are not in the SANS survey that are likely to have had an incident, and this makes it look like the ICS-CERT figure is only the tip of the iceberg.

“As Darrell Huff (a writer best known his book, “How to Lie with Statistics”) said. ‘Many a statistic is false on its face. It gets by only because the magic of numbers brings about a suspension of common sense.’ ”