Having served more than 20 years in the US Air Force, including 14 years in Information Warfare, I can imagine some very dark scenarios regarding attacks on critical infrastructures. In the US, we’ve defined 16 critical infrastructure sectors: Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Government Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Materials and Waste; Transportation Systems; and Water and Wastewater Systems.
The potential impact of a targeted cyber attack certainly depends on which critical infrastructure sector is attacked or which combination of critical infrastructure sectors are attacked simultaneously.
If I were writing a novel, I could imagine a scenario where all of these interconnected sectors were attacked simultaneously in an effort to wreck a country. But I also recognize that everyone working in the US counter terrorism community in 2001 was staggered by the destruction of the attacks conducted on September 11th. No one believed such a thing was possible.
Those unthinkable black swan events catch everyone by surprise with devastating effect. So, while we can all conceive that a successful attack on a country’s “critical infrastructure” might wreak havoc for the population, I think the most impactful attack will be a black swan event—something that absolutely no one thinks is possible and, therefore, no one prepares for.
Organizations and governments are increasingly planning and executing cyber attack drills. What's your take on these tests? Given the fact that they are generally meticulously planned in advance, can they provide a pragmatic picture of the overall security posture?
Most of these drills are not actually designed to provide a pragmatic picture of the overall security posture of the entities that participate in the drills. And that can be part of the problem—a false sense of security is created, if a participating entity does well in a drill. Some drills are only designed to test communication channels among the participants and do not test any attack scenario.
Other drills are designed to play out a single attack scenario and an entity might do well against that specific scenario. But they might not do as well against other scenarios. Another potential downside is the possibility that if a participant does well in a public drill, they may unintentionally throw down a gauntlet for an attacker looking for publicity or notoriety.
To get a clearer picture of the overall security posture of an organization, the organization must submit to multiple attack scenarios combined with an assessment of their program based on a carefully designed Capability Maturity Model (CMM). We’ve done assessments with as many as 10 different attack scenarios combined with a CMM assessment to give a client a clearer understanding of the overall posture of their information security program.
The attack scenarios vary from what an external entity could do with specific attack techniques to what a trusted insider might also be able to do. The CMM is designed to assess the information security program in 20 specific areas. Some of those areas include Security Architecture, Asset Management, Security Awareness & Training, Governance and Organization, Identity and Access Management, Security Incident Management, Metrics and Reporting, Information Security Strategy, Third Party Management and Threat & Vulnerability Management. None of the drills sponsored by governmental or regulatory bodies are designed to assess all the areas covered in the CMM or to assess a company’s vulnerability to an insider threat. Therefore, they cannot give a participating entity a pragmatic picture of the overall security posture.
What's the most appropriate course of action for an organization experiencing a targeted cyber attack?
An organization experiencing a targeted cyber attack, typically launched by a state-sponsored attacker or by organized crime must develop and execute plans for three separate, but interdependent, work streams: investigation, remediation and eradication.