Cyber Risks In Critical Infrastructure
- By Cindy Horbrook
- Oct 14, 2010
Attendees of Wednesday’s ASIS 2010 session on Cyber Risks in Critical Infrastructure learned that risk is always present, and it can never be 100 percent contained.
The session was the first in a 3-part series on cybersecurity. Those who attended all three sessions on Wednesday were eligible to receive a certificate for cyber security. Speakers Donald J. Fergus of Intekras Inc. and Sunil Kumar of AlertEnterprise Inc, addressed critical infrastructure and key resources (CIKR).
Fergus discussed the background of CIKR, and the analysis, frameworks, assessment, handling and mitigation of risks. Kumar discussed identity and access management as it relates to risk.
Fergus noted that there has been an increased rate of cybersecurity incidents over the past five years, with common vulnerabilities being large, highly visible targets, control systems not designed with security in mind, linkage to corporate networks, dispersed assets, such as gates, guns and guards that are not effective over thousands of miles.
Fergus described a typical, simple cyber attack through a Web interface that compromises a Web server. This leads to the attack of the engineering workstations, which then gets out to field locations. This kind of attack can happen relatively quickly -- in about two hours.
“It’s scary fast,” Fergus said.
When it comes to CIKR, risk management is still relatively undeveloped due to a lack of a governance model, no body of knowledge, no common language, no consistent training, and no certification, Fergus said.
One of the most important facets of risk management is to create a tone at the top. In order to mitigate risks, the organization must discover their cyber assets. This can be done through personnel interviews, documentation review, physical site inspection and configuration analyses.
Kunil pointed out that the integration of physical and logical access is often an overlooked concept when it comes to risk management. He noted that risks can come from within, for example a malicious insider in the organization with approved access privilege or knowledge of information systems who wants to adversely impact organization.
The approach to handling access risks, he said, is to detect, comply, respond and prevent.
About the Author
Cindy Horbrook is content development editor for Security Products magazine.