21. April 2011 13:58
The mega-virus has ushered in a new era in cyber security
The cyber security panel on Wednesday started off with a discussion of Stuxnet, the uber-virus that sent shock waves through the security world last year. The panel was moderated by Greg Hale of Industrial Safety & Security, and industry web site, and included:
- Marcus Braendle, Group Head of Cyber Security at ABB
- Brian Ahern, CEO of Industrial Defender
- Tim Roxey, Director of Risk Management and Technology at NERC
- Eric Cosman, Engineering IT Consultant at Dow Chemical
Braendle said the lesson of Stuxnet was that it is impossible to completely protect an industrial system from such a potent and highly targeted attack, and that it was "a matter of when, not if, another such attack will occur."
Stuxnet formed the basis for much of the discussion, with the panelists largely in agreement that there is a disparity between regulatory expectations and the realities of cyber security practice. NERC's Tim Roxey summarized the problem in a rhetorical question.
"Is it appropriate to expect a private enterprise to protect against an attack by a nation state?"
Ahern put things in perspective: whether malicious or unintentional, a company’s own employees represent the greatest threat to its IT systems' integrity.
Panelists also agreed that something needs to change in our overall approach to security. In addition to bringing expectations into line with capabilities, users can't rely on OEMs and operating system suppliers to keep their systems safe. Private sector businesses need to have a collaborative relationship with the government rather than the adversarial one they do now.
At the same time, system owners must take cyber security seriously.
Part of the problem there is overcoming human nature to ignore dangers that are not immediate in nature. The quotable Roxey put it bluntly: "we humans suck at risk."