In July, General Keith Alexander, head of the National Security Agency and U.S. Cyber Command chief warned that the changing nature of dangerous cyber attacks is taking a toll on American business. A Department of Homeland Security report on cyber security revealed 198 cyber attack incidents were reported to DHS in 2011. This is a sharp contrast to the nine incidents reported in 2009. The report noted that companies who control critical infrastructure reported higher numbers of attacks on their systems over the past three years.
With cyber threats to these computer systems on the rise, the U.S. Department of Homeland Security (DHS) is working to better protect control systems of critical infrastructure. DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) provides operational capabilities for defense of control system environments against emerging cyber threats. ICS-CERTs were deployed to investigate and analyze threats in 17 of the 198 cases in 2011. By understanding the threats and effectively managing the risks, actions can be taken to reduce the occurrences and sustain critical systems. Specific company names were not released in order to maintain a level of confidentiality and encourage reporting of other cyber attack incidents. Alexander said that for every intrusion detected by the FBI, there are 100 others that remain undetected.
DHS admits that the number of incidents reported to DHS's ICS-CERT has increased partly due to this increased communication between ICS-CERT and the private sector. However, through proper mitigation and business continuity measures companies will be prepared to combat their current lapses in technology.
According to the EPA, “Technological emergencies include any interruption or loss of a utility service, power source, life support system, information system or equipment needed to keep the business in operation.” Identifying all critical technology related operations is the first step in mitigating and combating threats. Possible critical technologies involved in business operations include, but are not limited to:
- Utilities including electric power, gas, water, hydraulics, compressed air, municipal and internal sewer systems, wastewater treatment services
- Security and alarm systems, elevators, lighting, life support systems, heating, ventilation and air conditioning systems, electrical distribution system.
- Manufacturing equipment, pollution control equipment
- Communication systems, both data and voice computer networks
- Transportation systems including air, highway, railroad and waterway
Once technology systems are identified, the following planning considerations should be taken into account in order to safeguard critical systems and develop an effective business continuity plan:
- Determine the impact of technology service disruptions.
- Ensure that key safety and maintenance personnel are thoroughly familiar with all building systems, such as alarms, utility shutoffs, elevators, etc.
- Establish company-wide computer security practices, such as password-protected information, in order to secure technologies. (See CSET Assessment to determine system vulnerabilities)
- Establish procedures for restoring systems. Determine the need for backup systems.
- Establish preventive maintenance schedules for all systems and equipment.
ICS-CERT encourages companies to report suspicious cyber activity, incidents and vulnerabilities affecting critical infrastructure control systems. Online reporting forms are available at https://forms.us-cert.gov/report/.
For a sample Emergency Response Checklist, download our helpful and informative guide.