06 June 2008

Critical Infrastructure Resiliency: + The Lone Wolf...

The convergence of law enforcement and homeland security professionals this week at the US CERT GFIRST conference was apparent. The agenda was full of topics and training focused on the protection of our critical infrastructures and new asymmetrical threats:

"Securing cyberspace has become a national priority. In The National Strategy to Secure Cyberspace, the President’s Critical Infrastructure Protection (CIP) Board identified several critical infrastructure sectors:

• banking and finance
• information and telecommunications
• transportation
• postal and shipping
• emergency services
• continuity of government
• public health
• food
• energy
• water
• chemical industry and hazardous materials
• agriculture
• defense industrial base

The National Strategy to Secure Cyberspace emphasizes the importance of public/private partnerships in securing these critical infrastructures and improving national cyber security. Similarly, one focus of the Department of Homeland Security is enhancing protection for critical infrastructure and networks by promoting working relationships between the government and private industry. The federal government has acknowledged that these relations are vital because most of America’s critical infrastructure is privately held."

The InfraGard National Congress was held the first day of the conference and was well attended from 86 chapters and with over 25,000 members. These citizen soldiers are focused on working in the local metro areas to help assist private sector partners in their CIP activities.

We realize that there are many facets of CIP, yet where should we be allocating resources? The vigilance within our organizations has not changed and is based upon previous studies done by CERT and the US Secret Service:

Insider Characteristics

The majority of the insiders were former employees.

• At the time of the incident, 59% of the insiders were former employees or contractors of the affected organizations and 41% were current employees or contractors.

• The former employees or contractors left their positions for a variety of reasons. These included the insiders being fired (48%), resigning (38%), and being laid off (7%).

Most insiders were either previously or currently employed full-time in a technical position within the organization.

• Most of the insiders (77%) were full-time employees of the affected organizations, either before or during the incidents. Eight percent of the insiders worked part-time, and an additional 8% had been hired as contractors or consultants. Two (4%) of the insiders worked as temporary employees, and one (2%) was hired as a subcontractor.

• Eighty-six percent of the insiders were employed in technical positions, which included system administrators (38%), programmers (21%), engineers (14%), and IT specialists (14%). Of the insiders not holding technical positions, 10% were employed in a professional position, which included, among others, insiders employed as editors, managers, and auditors. An additional two insiders (4%) worked in service positions, both of whom worked as customer service representatives.

Making sure that you have a robust workplace awareness program is yet one key component in addressing the "Insider Threat".

The magnitude of the interdependencies of our critical infrastructures hit home this past week in the Washington, DC National Capital Region. Strong thunderstorms, tornadoes and severe weather dealt the region another lesson in our vulnerabilities. More importantly, the timing may have been the perfect launch point for other malfeasance from non-state actors who lie in their "Lone Wolf" mode waiting to strike.

Further, the networks of our global superinfrastructure are tightly “coupled”—so tightly interconnected, that is, that any change in one has a nearly instantaneous effect on the others. Attacking one network is like knocking over the first domino in a series: it leads to cascades of failure through a variety of connected networks, faster than human managers can respond.

The potential asymmetric attacks that are being planned may have specific triggers such as natural hazards or more mother nature mischief. Imagine the following scenario after the chaos a few massive thunderstorms created in the suburbs of Washington, DC:

Another growing threat to our cities, commonest so far in the developing world, is gangs challenging government for control. For three sultry July days in 2006, a gang called PCC (Primeiro Comando da Capital, “First Command of the Capital”) held hostage the 20 million inhabitants of the greater São Paulo area through a campaign of violence. Gang members razed police stations, attacked banks, rioted in prisons, and torched dozens of buses, shutting down a transportation system serving 2.9 million people a day.

The gangs’ rapid rise into challengers to urban authorities is something that we will see again elsewhere. This dynamic is already at work in American cities in the rise of MS-13, a rapidly expanding transnational gang with a loose organizational structure, a propensity for violence, and access to millions in illicit gains. It already has an estimated 8,000 to 10,000 members, dispersed over 31 U.S. states and several Latin American countries, and its proliferation continues unabated, despite close attention from law enforcement. Like the PCC, MS-13 or a similar American gang may eventually find that it has sufficient power to hold a city hostage through disruption.

And while the scenario could be well contained with calling out the National Guard, the timing could create opportunities for the "Black Swan" outlier inside your enterprise:

"A system administrator, angered by his diminished role in a thriving defense manufacturing firm whose computer network he alone had developed and managed, centralized the software that supported the company’s manufacturing processes on a single server, and then intimidated a coworker into giving him the only backup tapes for that software. Following the system administrator’s termination for inappropriate and abusive treatment of his coworkers, a logic bomb previously planted by the insider detonated, deleting the only remaining copy of the critical software from the company’s server. The company estimated the cost of damage in excess of $10 million, which led to the layoff of some 80 employees." U.S Secret Service and CERT Coordination Center/SEI Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors

It's never to early to plan for the unimaginable all happening in the same geography and the same time frame. These mock scenarios are the beginning of public / private coordination and exercises for "Enabling Critical Infrastructure Resiliency" in the NCR.

No comments:

Post a Comment