|
|
 | ||||||||||||||||||||||||||||||||||||||||
|
Editor’s note: There's no shortage of warnings about the cybersecurity threat. But such warnings equivalent of yelling "Fire!" in a crowded theater. They don't even point to an exit door, much less explain how to prevent the fire in the first place. So when my friend Ken Van Meter wrote in with a warning that also contained two specific recommendations, I asked if I could share his ideas with you here. -- Jesse Berst
By Ken Van Meter
Principal, Booz Allen Hamilton
There have been no public disclosures of major APT attacks on utilities. Yet other critical infrastructure industries—particularly government and financial services—continue to see either targeted APT attacks or Indicators of Compromise (IOC). Although we have not yet had a coordinated “cyber tsunami” that would galvanize the energy industry, it makes sense to take thoughtful strides now.
The importance of a cooperative approach
New technologies and processes exist to find nascent and current APT and IOC. These methods should be used regularly to identify threats as early as possible to prevent the full attacks -- or, at least, to assess what happened and mitigate the damage.
An essential component of APT discovery and forensic review is the creation of new practices to deter future attacks and to enhance the utility's risk profile. However, since few utilities have the expert staff to deal with APTs on their own, it makes sense to pursue a consortium or other cooperative approach. That way, tools and processes can be shared across a larger base to reduce cost. In this way, more concurrent analysts get to look at a larger range of data and to find IOC and APT earlier. Such a consortium would have multiple benefits:
· Sharing new APTs
· Warnings of attack vectors in time to prevent or mitigate
· Alerts about new methods of incursion
Utilities should also avail themselves of other entities who are actively engaged in gathering and distributing information about cyber threats, including the United States Computer Emergency Readiness Team (US CERT) and the NERC Electricity Sector Information Sharing and Analysis Center (ES-ISAC).
The importance of a multi-dimensional approach
Collaboration is of significant value. However, experts know that most APTs are designed for a specific target. Using a black list or lookup table of APTs is not generally effective with such threats. This is the biggest deficiency with current methods. They are table-driven and look only backward and inward.
APTs must be dealt with multi-dimensionally. Thus far, the most promising approach looks outside the box of conventional tools like antivirus programs and hardware devices. Instead it uses advanced mathematical models, algorithms, and heuristic analysis, which are proving far more effective at finding IOC and APTs.
Once this candidate pool of suspicious code or processes has been flagged, forensic experts can use their skill, experience, tools and processes to separate the unusual from the dangerous.
By their nature, APTs are constructed by well-funded cyber experts. They aim at big targets. They may seek to extract critical information. Or to plant time bombs that will cause harm at a strategic moment in the future, often over a period of months or years. The range and power of cyber adversaries have never been greater. And the targets are larger and more critical than ever. But with vigilance and a reliance on the advanced methods described above, energy companies can, at a rational cost, significantly reduce the risk and damage of APTs.
You might also want to read…
Terrorist gunman could bring down the grid, warns FERC's Wellinghoff
|
|
|
|
||||||||||||||||||||||||||||||||||||
|
|
|
|
Talk Back
