Lee Neubecker (LN): Hi,
I’m here again with Geary Sikich on my show. Geary is the president of
Logical Management Systems, a business consulting
and risk advisory firm. Geary, thanks for being on the show again. Geary Sikich (GS): Thanks
for having me back, Lee. LN: So today we’re going to
talk about the current state of global cyber insecurity. News events have been published detailing Iran’s potential cyber response. The energy sector has been put on notice to be looking out for attacks,
as well as corporate America. So Geary, what is the current state of cyber risk as you see it? GS: I think it’s kind of
appropriate to begin to look at it as you introduce it, global insecurity. One has to begin to look
at how secure are you? And in the context of how secure are you, how secure is our infrastructure. All the things we depend on
for our day to day lives. And how we live, literally. So everything from your food on the table to the heat, to clean water, to your heat in your home, et cetera, all become potentially–
LN: Transportation, travel, and fulfillment. GS: Road systems,
everything that’s out there. LN: So we’re going to be talking about the highest areas of concern where a rogue terrorist
organization might want to strike or a nation-state that we’re at odds with. And unfortunately, we have quite a few. Later on in the second,
third, and fourth segment we’ll be talking about detecting threats. In the third segment,
we’ll be talking about protection against that, things that can be done proactively. And then finally, in the
fourth and last segment we’ll be talking about
responding to compromises, incident response, and how to recover and get back up online. So Geary, can you give
everyone an understanding of what encompasses SCADA
devices and what SCADA means? GS: SCADA systems were
developed for the use to control operations and utilities and other areas. It’s called the Supervisory
Control and Data Acquisition. LN: So what kind of devices
make up SCADA devices? GS: Everything from the
control of pipelines, utility, electricity functions, all the way onto healthcare, pacemakers and other types of systems. LN: CPAPs. So these are critical systems. These are systems that if
someone wanted to cyber attack and really hurt us,
they’re natural targets. And they’re classified as such because they have to be regulated and handled in a way to help keep them safe. GS: Yeah. And the problem we face is not that these are systems that are so vulnerable, the problem we face is that because of the technology
that we’ve embraced over the years since 1999, so that’s what, almost 20 years now. Or it is 20 years now. That those systems have become so embedded that we have gotten rid
of the manual systems that they replaced. So things like switching for railroads. You would be hard-pressed
to find manual switches available to the industry. Because they got rid of ’em, and they were scrapped, and they’re gone. No once produces them, or should I say, they’re produced in limited quantities. And they’re hard to get. The things we depend
on in a lot of respects for the smooth running
of our infrastructure become very critical to us because there are no
alternatives for those systems. And as a result, we become
more and more vulnerable to a infiltration of the
systems for disruption. LN: And then we also have
what’s known as FPGA’s, Field Programmable Gateway Arrays. They’re microprocessor
controllers that can be programmed that can actually be
altered by an attacker to change how these systems
function, the logic that works. We can only think of,
what would happen, Geary, if a nation-state that
we’re in a conflict with, what would happen if the water
filtration system sensors were altered to put water out
that appears safe but isn’t? GS: I think you see a lot of that today simply because the threat levels are such that we have to make sure these systems are so well-protected. And unfortunately, the
ability to protect the systems is not necessarily as good as it should be,
let me put it that way. It’s not that they’re
bad, it’s not that they’re behind the times, it’s just that they’re
trying to keep up with things that are changing so rapidly. Technology disruptions, and
disruptive technologies today have made a lot of
systems sort of antiquated before their time. And the problem is that, to
keep up with replacement, to keep up with the viability systems becomes another burden to the system. Another critical issue in
this global insecurity aspect is look at the talent
pool that’s out there in the workforces, and you start to begin to realize that there are very few people that are talented in the
areas where we need them. I think in our last segment that we did I mentioned that in the energy industry, nuclear engineers,
petrochemical engineers, desperately needed areas because their workforce is transitioning and the skill levels are not there. So that becomes a real challenge. LN: Just the past, in this month alone, cybersecurity firm Dragos issued a report showing that there is a number,
I think around 11 groups that are actively
targeting the energy sector and trying to take out
various providers of energy. Oil, gas, you know, nuclear. There’s other threats there. You know, locally here in Chicago, you’re in Indiana, we’re in Illinois, what part of the energy
sector to you think is at greatest risk? GS: Well, I think the
interesting point with that is that the bigger players,
Commonwealth Edison, NIPSCO, Northern Indiana Public Service, are doing their part to ensure
that their infrastructure is well-maintained and protected. The problem we run into is that they’re not the only utility providers. If you look at across the United States, there are so many smaller
utility providers, co-ops, small utility companies, that don’t necessarily have the resources–
LN: They don’t have the scale. GS: Yeah, the skills. And the problem that they encounter and we encounter as a result is that they are critical
links in the grid system. So everything from water, gas, electric, telecommunications, et cetera, all dependent on a lot
of these small players. And getting one to go could potentially offer cascade effects to all the others. And as it cascades, things
can get even more disruptive. LN: So you could actually take down the big electrical utility by getting enough of the small,
vulnerable electrical co-ops and launching a cyber attack
on the electrical co-ops to then take out the big giant. Because when these happens,
you have power imbalance. And Kirchhoff’s Law dictates
the flow of electricity, and it will flow where it’s
weak, and the current flows, well that can cause line
tripping and power outages. GS: Yeah. And I think the thing that
people have to realize is that the apparently
most vulnerable things are not necessarily the ones
that are the most visible. And I say that in this respect, we look at power plants,
we look at nuclear plants, and there’s a fear of
someone attacking the plant. In reality, it’s the part of the system that are not related, or that are related, linked to the power
plant, but not directly. LN: It’s an interconnected system. GS: It’s the transformers–
LN: Everything from endpoint demand to supply. And in our prior video we talked about manipulation of endpoint demand that could cause a cyber attack. GS: And it’s the step-up
and step-down systems. When you generate it,
electricity’s stepped up, it goes over transmission
lines, it goes to a point, it’s stepped down and then
it goes in the user groups, the residential, your cities,
your smaller industries. So you start seeing these as
being potentially vulnerable in a respect. In terms of vulnerability is that we have to begin to look at the users and begin to differentiate which ones are what we call interruptable
and which ones aren’t. LN: So in our next
segment, we’ll be talking about detection of these threats, and then finally after that, the third segment we’ll
talk about protecting and what organizations should do such as electrical co-ops, things they can do to get ahead of this. And then when things
invariably do go wrong, finally we’ll talk
about incident response. So tune in next time, and please, we appreciate
your shares, likes. Sign up for my YouTube
channel if you liked this and you’ll get alerted when
we publish the next one. Thank you.

Tagged : # # # # # # # # # # # #

Leave a Reply

Your email address will not be published. Required fields are marked *