Cybersecurity Expert: US Critical Infrastructure Threat is Real – but ‘the Sky Isn’t Falling’

President Obama’s executive order on cybersecurity is said to include voluntary standards for companies, a special council run by the Department of Homeland Security (DHS) and new regulations for vital systems, according to a draft leaked to the AP.

So I thought it would be useful to talk with an expert about the state of U.S. critical infrastructure and what the government can do to improve it. I sat down–virtually–with Nate Kube, founder and CTO of WurldTech, a company that provides security software for critical infrastructure companies. (If ever there was a business with a monetary incentive to stoke all the hysteria around the threat it would be Wurldtech.)

IT Security Hack: How big is the threat to the U.S. critical infrastructure?

Nate Kube: Just because something is possible doesn’t mean it ever actually happens. Think about in terms of traffic, there aren’t always barriers up between a north-bound lane and south-bound lane. So, yeah, someone driving in the north-bound lane could turn their steering wheel and cause a massive collision in the south-bound lane. Possible. Does it happen? Sure, but there are all these other reasons for why it doesn’t happen that often: Personal safety, etc.

With critical infrastructures there is a lot of really bad stuff that people could do using functionality that’s available today. But they don’t because it’s not in their best interests.

Think of it from a terrorist perspective. In order to really do something bad you would combine a cyber-attack with a physical attack. You drive a plane into a building, maybe before you do that you do a mass outage of power in the area.

But just a cyber-attack by itself … the sky isn’t falling. There are a lot of checks and balances in place. These are incredibly engineered systems with a lot of non-digital safeguards, analog safeguards that you can’t hack. You have to be there. And if you’re already there, why hack when you can just destroy?

There’s a lot of sky is falling, a lot of fuss. I think folks are quite tired of it, especially folks who have been eating, breathing and living in this space.

There are problems and we need to solve them. We’re doing so much more with automation, and anytime you automate something and have increased connectivity doing so across a large geographic area you have the option for folks to hijack it and do bad things. So security needs to be considered but it’s by no means a show stopper.

So does government have a role in this?

Government is the key piece of puzzle with this. It’s been the primary driver for security in utilities. Water has a very fixed rate base, so there’s no ability to charge arbitrary amounts of money for security. Only way they can justify the cost of a retrofit or enhancement is if the government mandates it.

The first issue is awareness. We need to educate folks on the danger of having highly-connected networks and plugging in USB keys and plugging in laptops. All the technology nuances and whizzbang gadgets in the world can’t make up for improperly trained personnel.

There needs to be C-level awareness of the risk. It needs to be framed in terms of operational implications, financial implications and not just, “Hey, we’ve got a vulnerability.” Do it that way and nobody cares.  Then you get those people to drive awareness down into the orginzation.

Regulation in the U.S. is a great way to drive that. Look at the Smart Grid Stimulus Act. In order to get funding one-third of the proposal had to be about the organization’s security effort. Some Grants were $300 million, $400 million. That drove awareness of cyber security to the C level.

One result was yearly audits in how well the utility was doing in implementing its cyber security plan. There were audits last year, audits this year. There are supposed to be audits next year but depending on the change in the government we will see what happens.

The amount of information the DOE now has on current state of the sec for utilities has gone up dramatically. DOE now has really good idea of what the security posture for the industry is.

If you could write the executive order, what would you put in it?

Information sharing–strong information sharing between public and private sector. So when DHS or DOE gets informed about an attack breaking out it can inform other utilities on a moment-by-moment basis.

The government should not be in the position of managing or mandating technology. If they do it with standards they are effectively mandating a technology.

DHS is in perfect position to set up requirements but should stay far away from any notion of how those requirements are satisfied. Look at what the NRC [Nuclear Regulatory Commission] did. They did a good job with critical infrastructure protection. Some 1,200 sites fall under NRC regulation. Sure there were some bumps when it started but that’s to be expected. They don’t talk about how to do it, just what needs to get done.

The government is in a unique position to set up resources, set up training programs. DHS has set up a number of [training programs] which are quite good. They run small classes and are still very limited in terms of the size of the population they can facilitate at one time.

Really focus on the resource side for business to use. With information like building a business case for security–educating executives on why it matters–or training personnel on how to address security in their day-to-day jobs.

In terms of building awareness, government should provide standards–not in terms of shall but in terms of should. Provide guidance documents on basic cybersecurity in critical infrastructure.

Government needs to be the source of information which US-CERT is already doing a great job at.

(Note: Interview has been condensed and edited for space reasons–and to make the interviewer’s questions look smarter.)