Modern field guide to security and privacy

What companies and the government can learn from the Ukraine grid cyberattack

The attack on Ukraine’s power grid teaches valuable lessons that experts think companies and the next US administration should take to heart.

Richard Clarke, former White House cyber advisor, speaks at an Invincea and Dark Reading event in Washington on September 15, 2016.

One major piece of fall out from the BlackEnergy cyberattack on Ukraine’s power grid?

US energy companies are thinking hard and long about their approach to upgrading their digital infrastructure, said Edward Goetz, chief security officer at Exelon, at an event in Washington hosted by Invincea, an endpoint protection cybersecurity firm.

One of the reasons the attack wasn’t as devastating as it could have been (the power was only out for six hours at most) was that the industry had a ready response to the problem: workers were able to manually reverse the hackers’ work by physically resetting power stations.

US companies looking to upgrade their infrastructure are now considering how to obtain the digital efficiency afforded by new technology alongside Ukraine’s strong reminder of the last-resort value of analog procedures, Mr. Goetz said.

That isn’t to say that the grid is on the verge of collapse — far from it.

“Most people don’t know how the power grid works, and there’s this feeling that it’s a big battery with an on-off switch,” said Marcus Sachs, chief security officer (CSO) of the North American Electric Reliability Corporation (NERC).

But there are many lessons the US could take from Ukraine’s experience, experts at the event agreed.

Mr. Sachs and others underscored the security of US critical infrastructure, citing the grid’s diverse technologies and players as making it harder to take down in one fell swoop, while pointing out that most of the threats to the grid come from unsophisticated sources like squirrels or phishing campaigns. Shoring up the grid against the most basic digital threats should be a first order of business across industry and government, Sachs said.  

However power companies configure their systems, Sachs said, lack of communication between the US federal government and the private sector makes the entire business of defending the nation’s critical infrastructure more difficult.

Even after last year’s Cybersecurity Information Sharing Act (CISA) agreement, which paved the way for easier transit of information between government and the private sector, the government struggles to declassify information at a rapid enough rate for the intelligence given to businesses to be actionable.

Intelligence received “six or eight weeks [after the fact] is not timely. Six or eight minutes might be timely.” said Sachs. “Get rid of the things that make it classified and just give us better data. We don’t care how you [the government] got it, but the fact that you know it should be shared.”

On the private side, fears that proprietary information will be used to exploit vulnerabilities prevents companies from sharing more openly.

It comes down to trust, which can’t be legislated, Sachs said, and the private sector and the federal government have a lot of relationship building to do before they can share information as freely as CISA intends.

Defending against threats is half the equation — deterring them is the other, said Richard Clarke, a former national security official and current CEO of Good Harbor, who offered some advice to the next administration on how to be more proactive when defending critical infrastructure.

In order to ensure US infrastructure security, Mr. Clarke said, the next administration would do well to focus and consolidate its resources around those utilities that will be the focus of cyberattacks (such as the grid and the financial system) and continue to work on a better mechanism to train the next generation of cybersecurity professionals.

Continued multilateral action will be important, Clarke said, to take a harder line with state-sponsored hackers who have yet to feel real consequences for their actions.

That kind of action could have unintended consequences, though. Goetz wondered whether a cabal of former government-sponsored industrial spies from China will move to countries with looser Internet restrictions and become independent actors in the wake of the US signing a deal with China to stop the same.

Invincea is an endpoint security software company. More than 25,000 customers rely on Invincea to prevent and detect threats and enable their workforce to conduct business—in the office or on the road. Follow them on Twitter @Invincea.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to What companies and the government can learn from the Ukraine grid cyberattack
Read this article in
https://www.csmonitor.com/World/Passcode/2016/0919/What-companies-and-the-government-can-learn-from-the-Ukraine-grid-cyberattack
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe