Industrial cybersecurity has been garnering more media attention than in years past, and as testament to this recent spotlight, CISA dubbed November “Infrastructure Security Month.” Conversations and questions from friends and family regarding cybersecurity have definitely picked up as well, and this week I wanted to share a few questions about industrial cybersecurity, as posed by my mother-in-law.
For a little background, my mother-in-law is in her mid-seventies, and she’s one of the smartest people I’ve ever met (she’s an avid reader, lifelong learner, and I don’t think I’ve ever seen her miss a single question on Jeopardy!). She’s also a self-proclaimed technophobe who primarily uses the computer to play solitaire, and is perfectly happy NOT owning a cell phone.
For years, when anyone would ask her what I did for a living, she would respond, “Something with computers?” (technically not wrong). She was ecstatic when I started working in industrial cybersecurity, because she finally had a more tangible reference point — the grid!
I thought it would be interesting to see what types of questions she might have regarding industrial cybersecurity, especially considering the increased media focus on infrastructure security. Below I’ll share some snippets from our conversation, and attempt to answer her questions as best I can. (I’ll refer to her as “M”)
Coffeetime Chats about Cybersecurity
M: I think people in cybersecurity would be surprised by how frequently these things are discussed over lunches with my friends, or over coffee after church. Not just the grid or ransomware, but everything from passwords to security of their bank accounts and finances. We see so much on the news and people are just afraid and don’t always know what to believe. Everything is in the cloud, or is computerized to some degree. Everything creates data, and all that data has to be stored somewhere.
Initially, the industry struggled to get the general population to understand the importance of data security. The silver lining on much of the media coverage is that it’s definitely raising awareness, and while I’m glad these things are discussed more frequently, I hate to hear of individuals being afraid or not knowing what to believe. It’s part of the reason why I recently wrote about Fighting the FUD (Fear, Uncertainty & Doubt), with some tips about finding helpful ways to analyze information.
Industrial Cybersecurity Incidents vs Breaches
M: How frequent are cyber attacks, and how often do they actually occur on grids? Everyone I know is so aware of ransomware now, but they say tons of companies pay huge amounts of money and we never hear about it, so how often do these attacks happen successfully?
There is a difference between an “incident” and a “breach”, but the terms are frequently used incorrectly which can lead to confusion or misunderstanding about frequency and severity. Incidents affecting critical infrastructure do take place, but often these incidents are unintentional or don’t involve targeted malicious intent. Think of it as a splash-over effect when the original intent was a hunt for money.
What About the Satellites?
M: Why is there such concern over hacking of grids, but not as much attention devoted to hacking of satellites by foreign powers who may want to do us harm?
Great question! For many attackers, the focus is on making money. That’s the differentiation between cyber crime (follow the money) and cyber warfare. The two can definitely overlap, but intent is very important. At what point does a digital act constitute an act of war?
Last House on the Block with a Landline
M: Several of my friends (some of whom are engineers and very tech-savvy) have decided to keep their landlines because they’re worried about not having any way to communicate if hackers wipe out other methods. Is it possible for hackers to knock out our cell phones or other methods of communication?
That type of widespread outage is near impossible. It would require the simultaneous attack of hundreds of thousands of systems. In the case of “the grid”, there isn’t one single grid that runs throughout our country, but rather many small ones run by generation and transmission companies with no single point of failure, or even shared points of failure. Landlines have their advantages, but so do mobile phones. A hypothetical event that was large enough to take out all cellular communications would most likely affect wired as well.
Who is Working on Industrial Cybersecurity Issues?
M: As a layperson, I don’t understand why there aren’t more people working on this important issue. Why don’t more people with real talents work for the government vs working in the private sector?
Fortunately there are many very talented people working on this problem, and that talent pool is growing. There is not one entity that can work across all of these challenges. An organization’s cybersecurity posture is heavily influenced by their policies, budgets, and talent. Highly secured software, if implemented incorrectly, can be open and vulnerable. Just as each city has its own specific issues (infrastructure, potholes, police, fire, electric), every company has different internal infrastructure to support their business.
When it comes to your question about why more individuals may be working in the private sector rather than for the government, from my experience this can be boiled down to two things: academic expectations, and pay scale. Salaries for government positions are typically lower than for similar roles in the private sector, but their educational expectations tend to be higher. For example, imagine looking for a candidate who has 8 years of experience in networking or an adjacent space, a bachelor’s degree in computer science and engineering, CISSP certification, AND experience in incident response. From the outside this may not look too bad, but in reality these are different specializations. This leads to a very restricted pool of individuals who most likely do not have the exact experience necessary for the role.
Cooperation with the Government
M: For private sector companies, how much or how little do they cooperate with the government? Are there things that come up where they contact authorities, and report the things that they come across?
Yes, information is shared openly with the community at large and not just the government. Actually, the security community often moves even more quickly than the public sector when it comes to data sharing. In some cases, the government or agency works directly with companies like SynSaber or other private organizations and our customers to help in situations or to gather information on evolving threats.
There are entities like CRISP (a program used to collect & share information with the government), and organizations such as E-ISAC (Energy Information Sharing and Analysis Center) for the energy sector and FS-ISAC for financial organizations. While these organizations and programs are definitely not perfect, the cybersecurity community is always striving to improve our communications and reciprocal data sharing capabilities.
THE DARK WEB
M: Is the Dark Web real, or just something invented to scare people?
Now THAT’S a loaded question. Yes, the dark web is real. Let’s save that topic of discussion for Thanksgiving. We can’t have ALL the fun right now.
This was a great discussion, and it was really interesting to hear about the topic of industrial cybersecurity from someone who is so far removed from the industry, but who had relevant questions based on what she’s seen on TV or heard on the radio (or discussed with church friends over coffee).
Really looking forward to that Thanksgiving dark web discussion.
~Jori 🤘 ⚔️