There are two types of companies: those that have been compromised by a cyber incident and those that are not yet aware that they have been compromised.
It was an important message for delegates to the third annual Security Technology Conference (SecurTech 2013) in Ottawa this fall, a reminder that cyber threats are ubiquitous and many companies and individuals are not yet taking enough measures to mitigate them.
As Tim Page, president of the Canadian Association for Defence and Security Industries, noted in his opening remarks, “serious risks to public safety, threats to our eco systems, traditional way of life and national security challenges abound and are growing in complexity, impact and cost. Governments, emergency responders, security agencies, industry and ordinary citizens are mutually exposed to these challenges and therefore mutually dependent to find a way forward in these turbulent times.”
The conference’s fourth and final panel focused on critical infrastructure (CI) and cyber resilience, zeroing in on one of the more unanticipated vulnerabilities in today’s CI, industrial control systems. The conference was conducted under the Chatham House Rule, so speakers and their affiliations cannot be identified.
Cyber attacks on industrial control systems (ICS) have increased significantly. These systems, used extensively in the utilities sector for services such as electrical, water, oil and gas and in data industries, constitute a major exposure. ICS were never intended to connected to the Internet; they were supposed to be air-gapped, a precaution that has been effectively neutralized by digital networking.
And they have become even more susceptible to attack as more employees ask for data to be uploaded to the Internet to allow them to work on their personal devices. This BYOD (bring your own device) approach to business may appear to reduce hardware costs, but it has introduced new threats as employees seek access to data through their smart phones and iPADs, opening the door to the more than one million pieces of malware currently in operation.
Public Safety Canada’s Cyber Incident Response Centre (CIRC) is the guard and guardian against cyber attacks on government and industrial information and data systems. Its website notes that it is “Canada’s national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber events,” and has probably dealt with any malware that the Canadian private sector might encounter.
The centre is intended as a resource for industry to assist with cyber-related challenges, but many in the private sector feel there are disincentives to sharing information with government. As one speaker asked: “What do they get in return?” There is also concern that privileged information affecting competitiveness may be inadvertently leaked to rival interests if cyber incidents are shared.
Back to that reality check: Chances are your company has already been compromised, whether you know it or not. So the value of CIRC staff, who have been cleared to top secret, is their ability to share cyber-related information and insight with those companies that share incidents with the centre.
CIRC has acknowledged industry concerns about sensitive commercial information and strived to ensure that only information about cyber threats that does not impact the competitive positions of clients is shared. Still, as a government official acknowledged, the centre only receives notice about one-tenth of incidents that occur in Canada business each year.
Several speakers noted that without mandatory reporting, there would always be “a tendency to hide the problem. “But one presenter urged industry to “stop looking at (cyber) security as a cost, but rather as a business enabler.” And another assured delegates that what had once been under the radar and “something to catch up” with, was now “a board level risk discussion.”
One success story that some sectors might consider emulating is the financial industry, which not only shares information with CIRC but has also developed its own incident response centre.
A cyber system without security is like a car without brakes and lights, attendees were told – it would not be permitted on the road. As with simple brake and electrical repairs, 80 to 85 percent of cyber attacks can be prevented by applying patches for the systems and office suites on which critical infrastructure and industrial control systems rely, but the responsibility of this rests with industry, not government. Maintaining system updates, upgrades and patches, and limiting the number of people with administrator rights, remain the most effective and least expensive measures available.
These are all important steps. But industry also needs to be involved with the CIRC for the system to work properly. Partnership is the glue behind corporate cyber security.
Ben Sabbath is a Nova Scotia-based defence and security expert.