President Barack Obama’s February executive order on critical infrastructure put cybersecurity at the top of the agenda, but determining just how vulnerable the industry is has been up for debate.
“All the technology that you own doesn’t do you any good if there isn’t a smart human operating it,” said Patrick Miller, founder of EnergySec and the National Electric Sector Cybersecurity Organization (NESCO). “You don’t give a massive chain saw to someone who hasn’t used one before.”
Miller’s presentation was part of two-day conference on cybersecurity sponsored by (ISC)2, which maintains and administers the Certified Information Systems Security Professional (CISSP) certification exam.
Seeking to give the “ground truth” on cyber and critical infrastructure, Miller made several controversial assertions: prevention is a myth; hackers will continue to outpace regulation; national information sharing won’t work; and any attack only infrastructure will only have localized effects.
“You won’t prevent anything,” he said. “If there’s a determined adversary, they will get in.”
Miller said companies need to continue prevention efforts, but be cognizant of the fact that they will never be 100 percent successful.
Security regulations are not keeping pace with adversaries’ innovation, he said.
“You can make a lot of regulations to check the box, but you won’t be secure,” he said.
To overcome this challenge, Miller said the government needs to recognize that one size won’t fit all when it begins implementing the executive order.
He is skeptical of information sharing practices, especially at the national level.
“We’re not really sharing information,” he said. “We’re sharing pieces of information.”
Miller suggested that the next attack on critical infrastructure won’t be the doomsday scenario that pundits have suggested, as adversaries are not interested or not capable of such attacks.
“They’re MO (modus operandi) for battle is not frontal assaults,” he said. Rather, it’s “a thousand little assaults to make you bleed to death.”
Despite the emphasis on the cyber vulnerabilities of critical infrastructure, Miller said most systems are so diverse that they cannot be totally disabled. Gas pipelines, for example, still have hand-turned valves that a person would have to tamper with to shut them down.
Miller said this diversity can also make the systems difficult to keep track of. His solution to the problem is finding the balance between adding layers of security and increasing simplicity.
He said critical infrastructure will be more secure when it can also include automation.
“The definition of resilience [is] when prevention, detection and response come as close to a singular event as possible,” he said.