The US government relies on commercial industry to safeguard the Internet, telecommunications, power, water, and other critical infrastructure that underpin our national economy. Elements of this infrastructure also directly support our ability to project military power worldwide.

Industry works closely with the government to advance the ‘state of the possible’ in cyber defense. As a former CIO and military systems analyst, I have witnessed several generational cycles of defensive technology developments in the cyber arena. In the mid-90s, for example, system administrators configured firewalls (from standard computer systems) by hand, and reviewed log files (either manually or through then-clever application of scripts) to detect, characterize, assess, and potentially contain cyber intrusions. Today, automated intrusion prevention systems are available as commercial-off-the-shelf (COTS) products, integrated with firewalls and incident management solutions to allow very rapid detection and blocking of cyber attacks. This is just one example of how industry has worked closely with the government to deliver significant advances in cyber defense technologies.

Unfortunately, our cyber adversaries today have proven relentless and highly flexible in their endless pursuit of effective attacks (for an entertaining perspective on the topic, please read Toney Jenning’s “Caddyshack & The Defense of Cyberspace: No More “Wack-a-Mole”” post on GlobalSCAPE’s blog site). Those of us in the information security industry understand that the next major terrorist strike very well may come from the cyber domain or, at a minimum, include cyber attacks as part of a broader operation. From a traditional national security perspective, it is a near certainty that future adversaries will continue to develop their cyber attack capabilities. Such asymmetric warfare capabilities are increasingly attractive, given the overwhelming superiority of US forces in conventional, force-on-force combat.

As a result, GlobalSCAPE, our partners and many others in the industry are working tirelessly to deliver next-generation cyber defense capabilities and stay one step ahead of our adversaries. Our continued development in this area is a national imperative. We are excited by the prospects for transformational solutions like application whitelisting to allow more assured defense of the cyber frontier. We’ll be addressing a variety of cyber defense topics in future posts. Stay tuned!

“Unlike other concerns, such as extreme weather, security-related threats can be driven by malicious actors who intentionally manipulate or disrupt normal operations as part of a premeditated design to cause damage. Cyber-related threats pose a special set of concerns in that they can arise virtually anytime, anywhere and change and emerge without warning.”

He continues:

“While the industry deals with some physical security events, like copper theft, on a regular basis, other technical threats or hazards, such as electromagnetic pulse and space weather, are a concern and will require careful consideration to develop appropriate and effective mitigations. Cyber threats to control systems are still evolving and are not yet fully understood. The potential for an intelligent attacker to exploit a common vulnerability that impacts many assets at once, and from a distance, is one of the most concerning aspects of this challenge.”

One of the reasons why cyber attacks are so concerning to those who are responsible for our energy grid, is that these types of attacks simply do not fall within the design for reliability and disaster recovery that the energy systems were built for. Reliability of our energy grid has been of paramount importance since its inception and as such it was designed to be able to respond to a system failure without interruption of power to the homes they served. Unfortunately, this disaster preparedness focused on recovering from the failure of one system and using other systems to compensate during that time, this is often referred to as N-1 preparedness. In a cyber attack, there is the potential for widespread disruption of these same systems creating an N-x problem where more than one system is down and the plan for compensation by other systems will potentially not be adequate.

Mr. Assante goes onto describe that one of his top priorities is preparing the operators of the energy grid against new and not fully understood cyber attacks. To address this to some extent he has developed a notification process where operators of the grid can be immediately notified of a pending threat. He calls out their efforts around the Conficker worm:

“NERC’s recent work to alert the industry of the Conficker worm, including lessons learned on mitigation, involved the issuance of one recommendation, two advisories, and an awareness bulletin over the span of six months. These efforts significantly contributed to overall preparedness and awareness of the underlying vulnerability and cyber threat.”

Unfortunately, it has been proven time and again, that a simple after the fact notification, while helpful, can simply not defend in the long term against serious threats that can cause widespread disruption to critical systems. After the fact technology and processes simply don’t work.

More than ever it is time for protective systems that can prevent threats without ever having to know about them. This was the focus of a recent blog entry titled “Endpoint Protection – A Case For a Rational Transition to Whitelisting: Step 1 Protect.” Protecting critical endpoint systems against unknown threats is possible today with application whitelisting and should be a top priority.

It should be no surprise that adoption of application whitelisting is being led by industries who have the most critical security needs. In the case of satisfying NERC CIP requirements, application whitelisting goes beyond meeting the letter of the regulations, it accomplishes the spirit of the regulations by dramatically enhancing the protection of those systems that are critical to the continued functioning of our energy grid.