Rising Cyberthreats Call for New Preventative Measures, Think Tank Hears
Three factors matter in managing cyber risk -- a system’s vulnerability, the likelihood of threats and the attack’s consequences, said Miles Keogh, director of grants and research at the National Association of Regulatory Utility Commissioners. “Really, cybersecurity is a function of understanding risk,” he said.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The increase of cyberthreats has raised the question of how to regulate and anticipate, panelists said Tuesday in Washington at an event hosted by the New Democrat Network, a center-left think tank, on cybersecurity and the electric grid. They pointed specifically to how interconnected different technologies are becoming and how that raises the threat, damage and cost of any attack. New systems like the smart grid leave traditional utilities exposed, they said. Several prominent cyberattacks of recent years dominated the discussion, specifically Stuxnet and Aurora. The rising threats include “very well organized … malicious actors” who engage in “deliberate sabotage,” Keogh said, though some cyber problems come from hardware, software and human error. Much of the growth in threats comes from well-organized entities and it’s now “a tool of nation-states,” he said.
More interconnectedness fuels the rise in threats, said Good Harbor Security Risk Management Principal Jacob Olcott, a former counsel to the Cybersecurity Subcommittee of the House Homeland Security Committee. Systems became digitized over the last few decades but “now there’s an Internet” facing the public, he said. More and more connections tie corporate and control networks together, he said. The Stuxnet attack struck an Iranian facility with no outside connections to the public-facing Internet, which doesn’t bode well for the U.S., he said. But much confusion still accompanies cyberattacks, Keogh said: “For months, Iranians thought this [Stuxnet] was bad hardware.”
The rising threats create more demand for security, said Keogh. For a long time he advocated the defense-in-depth strategy. A more effective model may be what he calls the “crown jewels defense,” in which prioritized sectors of a network are most protected. “The detection technology is just not there,” Olcott said. Some companies are attempting to measure the temperature during cyberattacks to look for a “rise in heat,” he said.
A good defense takes many forms, panelists said. Proper employee training counts for a lot, Keogh said. The real value of defense lies in deterring attackers, he said: “You don’t need a perfect defense -- you need a good enough defense so it’s not worth the attack.” “The critical cyberasset question” is whether the loss of one critical asset will affect the bulk power system, said Olcott.
Regulating cybersecurity largely concerns arenas that “should not be the province of state regulators,” Keogh said. State regulators aren’t suited to become cyber experts, he said. Keogh has helped state utility commissions beef up their knowledge on the topic in the past and has advocated for such expertise, he said at NARUC’s summer meeting (CD July 26 p6). Compliance standards may not be of much use as it stands today because “not too many people are complying,” Olcott said. A “risk-based strategy” for companies may prove more effective than one based on compliance, Keogh said. One game-changer in moving federal legislation would be a successful cyber strike against U.S. interests, Keogh said.