23 Nov 2013

DHS Scales Back Cybersecurity Programs for Critical Infrastructure

At a time when cyber threats to critical infrastructure are mounting, budget cuts are forcing the Department of Homeland Security to scale back training and information sharing activities. Since March, the government has cancelled two conferences – including one in August — and three training sessions, which teach utility companies how to defend against cyber attacks.
Within the last two weeks, the Department of Homeland Security’s industrial control systems cyber emergency response team (ICS-CERT) sent memos to electric company CEOs reminding them to be vigilant regarding cybersecurity threats. That followed a May 9 alert that warned about “increasing hostility against U.S. critical infrastructure organizations,” according to a memo obtained by CIO Journal. There’s concern that budget cuts are coming at a time when utilities need more assistance from the government, not less. The Department of Homeland Security did not respond to requests for comment.
“Everyone seems to think this is a tremendously important issue and nobody seems to be able to find the money to fix it,” said Patrick C. Miller, founder of the nonprofit Energy Sector Security Consortium and a managing partner at The Anfield Group, a security consulting firm. Over the years, ICS-CERT has struggled for funding, he said.
The scaling back of training programs at ICS-CERT will be the biggest impact, he said. The trainers at ICS-CERT, which is based at Idaho National Labs, “are some of the best in the business,” said Mr. Miller. As training programs are cut, it’s possible the agency will lose trainers, he said.
Mr. Miller had planned to attend the spring conference which was cancelled not long before the event. The spring conference was for the industrial control systems joint working group, which is a vehicle for communicating and partnering across all critical infrastructure sectors between federal agencies and departments as well as private asset owners and operators of industrial control systems.
“I was amazed they cancelled the [spring conference] because they had probably already spent a lot of money,” said Dale Peterson, founder and CEO of Digital Bond, a control systems research and consulting firm.
DHS has stated that public private partnerships are the key to making progress with cybersecurity defense of critical infrastructure. Most of the critical infrastructure in the U.S. is owned by private companies. “Those two conferences [in May and August] are the main places where they can establish those partnerships,” said Mr. Peterson. 
The Spring conference was planned for May 6-9 in Phoenix, Arizona. It’s not clear whether the memo released on May 9 was intended to replace or augment information that might have been communicated at the conference. That document outlined cyber intrusions experienced by companies in the energy and critical manufacturing sectors beginning in late March. In at least one instance, an attacker obtained all the information needed to access the industrial control systems environment using readily available tools.  
Here are some of the lessons outlined in the document:
1.     Password strength needs improvement and needs to be enforced by companies.
2.     Attackers try to move laterally within networks. If the firewall rules between zones on the network are too liberal, it makes it easy for intruders to move through the network.
3.     Implement detection mechanisms to detect the presence of malicious tools. Monitor network and user logs to identify suspicious behavior.
4.     The operational control system networks must be as isolated as possible from the corporate network and must have restrictive access policies.

http://blogs.wsj.com/cio/2013/07/20/dhs-scales-back-cybersecurity-programs-for-critical-infrastructure/