EET&D: Gentlemen, I’ve personally been aware of your company for quite a long time – well before the name change to Industrial Defender in 2007 and even before that, when it was still part of Hewlett-Packard’s RTAP Division. Although you’re rapidly moving up on the industry awareness scale, I think I can say with some certainty that many of our readers are probably not nearly as familiar with your company – yet. There­fore, I hope you won’t mind quickly recapping the origins of the company before we turn our attention to the here and now.

Ahern: Not at all, Mike. Today, Industrial Defender is a privately held company with over 18 years of industrial control system and SCADA industry experience, and more than seven years of industrial cyber security experience. As you pointed out, we have deep roots in the automation business, particularly in SCADA and process control markets around the world, which began nearly two decades ago as the R&D group that produced HP’s RTAP SCADA platform. After being spun off from HP, we were known as Verano, Inc. for several years before we changed our name to more accurately reflect our core business model. Altogether, we have completed more than 100 process control/SCADA cyber security assessments; have in excess of 10,000 global security technology deployments in securing critical infrastructure systems; more than 3,000 mission critical SCADA deployments; and, we provide managed security services for 170 process control plants in 21 countries.

EET&D: That’s quite a resume. It would seem that your real-time automation beginnings have served you well in making the transition from an automation systems company to a security solutions provider. The high degree of synergy within and across those areas of business and technology is certainly a big differentiator in a field where lately we’ve seen an ever-increasing supply of security solution providers.

Sikora: Yes, that’s a very valid point, Mike, and it’s one that really sets us apart from most other security solution providers. Our comprehensive knowledge of mission-critical control systems comes from having been there and done it;
not just from reading about or otherwise studying the control systems business. To really understand how these systems have evolved from bit-oriented controllers, minicomputers and microcomputers programmed in machine language to modern-day automation platforms running sophisticated operating systems with a high degree of built-in intelligence, multiple communications platforms and Internet connectivity is no easy task – even for the most technologically savvy companies. In our case, we designed, built, installed and supported those systems for well over a decade before cyber security emerged as a major issue. not just from reading about or otherwise studying the control systems business.

EET&D: Okay, let’s fast-forward to today. For the past several months, the Stimulus Bill has been top of mind for anyone associated with the interrelated goals of protecting our infrastructure and restoring the economy. Cyber security is not only an implicit part of those initiatives, it is also a stated national priority that we hear and read about regularly on local, national and international levels. No one can say that this is an obscure topic or one that begs for relevancy, yet there still doesn’t seem to have been a whole lot of funding available to get the job done properly – if at all. Is that a valid perception, or is there more going on that may not be as visible as other dimensions of the infrastructure issue?

Ahern: Well, let’s take the Smart Grid initiative as a prime example. No one doubts that, from both a reliability as well as a security standpoint, there is a clear need for an IT-enabled electric “smart” grid, paving the way to – among other things – significantly expand renewable energy resources. To that end, in his stimulus package, President Obama allocated $4.5 billion dollars to electricity delivery and energy reliability, under­scoring the need for the legacy electric grid to make the move into the 21st century – and enhanced critical infrastructure protection is clearly an integral part of it. However, it remains to be seen exactly what portion of the Stimulus funding will actually make its way into cyber security R&D and real-world cyber security projects.

One way to realize true collaboration and foster mutually beneficial relationships is for the federal government to provide monetary incentives – perhaps in the form of funding grants or tax credits – to private sector entities willing and able to invest in cyber security threat monitoring and protection technology to support both this “next generation” critical infrastructure undertaking as well as ensure the security of the nations bulk-electricity system including power generation, energy control centers and transmission substations.

EET&D: What else is needed to help move security initiatives from concept to practical solutions?

Sikora: In addition to financial incentives, private sector operators of critical infrastructure must work in concert with the government to warn both the private sector and the public of potentially dangerous cyber security incidents. To facilitate
this collaborative environment, the government should also strongly consider the concept of ”Hold-Harmlesss” Protection. This would remove concern over the public relations ramifications associated with a critical infrastructure operator sharing threats and incidences; ensuring an open and collaborative line of communication between the private sector and public sector in the interest of public safety, national security and economic integrity.

Another consideration is the development, through the joint efforts of the public and private sectors, of a comprehensive “cyber heat map.” This would ultimately provide transparent visibility into the current cyber security threats, as well as provide access to detailed information on each specific threat occurrence. Incorporating these proposals – while undoubtedly an aggressive undertaking – would allow for both increased cyber security protection as well as the flexibility to expand these infrastructure platforms to support future needs.

EET&D: What do you see as your role in this rapidly escalating focus on cyber security as it relates to the critical infrastructure we are simultaneously trying to preserve and protect?

Ahern: Industrial Defender is the first company to offer a completely integrated defense-in-depth cyber security solution designed to protect the industrial control system and SCADA environment in a flexible and cost effective platform. Our comprehensive “lifecycle solution” enables the efficient assessment, mitigation and management of cyber security risk within the critical infrastructure network domain. But no single company – nor even a group of companies – is likely to achieve effective, pervasive and sustainable cyber security without the collaborative involvement of the private and public sector.

EET&D: What are some of the things you would like to see that could help move the cyber security cause forward?

Sikora: For starters, a greater level of investment in defense-in-depth sensor technology, including electronic security perimeter, remote access and authentication, network intrusion detection, host intrusion detection, and patch monitoring and management, thus enabling real-time aggregation of threats and incidences for real-time reporting. FERC Order 706 also calls for “defense-in-depth” subject to technical feasibility considerations with NERC oversight.

Ahern: There’s a whole host of other things we’d like to see, but we know that there’s going to be a long road ahead. For example, one area of focus should be a centralized clearinghouse for the correlation of alerts and threat statistics. Such central oversight would provide intelligence regarding widespread information gathering and other attacks. For this type of centralized correlation to work, cooperation of large managed service providers and large self-managed networks is needed in order to send the necessary standardized alerts and threat statistics to the US government.

If a central agency were the real-time clearinghouse for conclusions about threat patterns and the correlation of such conclusions, that agency would be able to correlate suspicious activities across many industrial networks. Such correlation – especially correlation of threat threat profiling results – might allow the central monitoring agency to identify widespread information-gathering activities targeted at critical infrastructure networks. Such activity is a logical precursor to a widespread attack on infrastructure. It would also allow a central clearinghouse to draw conclusions about widespread infections, which might also be a sign of a coordinated attack on very many sites.

Recently, in testimony before Congress, we formally recom­mended that the Federal government investigate establishing a program, correlation infrastructures and technologies, and the necessary data exchange standards to permit real-time alerts and threat statistics to be aggregated centrally. Indivi­dual managed security service providers and large industrial security/network control centers would be encouraged – or required – to participate in the program and provide the central authority with the statistics and other information that the agency requires to calculate high level correlations. Such a program could provide government and various intelligence-gathering agencies with important insights into the overall health of industrial networks as well as insight into sudden changes or widespread patterns indicative of preparations for a large-scale attack.

Sikora: Another area of focus would be to strongly encourage control system vendor partnerships with the U.S. Department of Energy’s National Supervisory Control and Data Acquisition (SCADA) Test Bed programs at Idaho National Laboratory and Sandia National Laboratory. There also needs to be a continued and raised emphasis on control system security product and technology assessments to identify vulnerabilities and corresponding mitigation approaches when systems are being designed and built.

EET&D: What do you feel is the rightful role for government in all of this?

Ahern: Escalation of threats and exposure of incidences are essential components of successfully thwarting cyber attacks against the nation’s critical infrastructure. With 85 percent of the nation’s critical infrastructure owned and operated by the private sector, the public and private sectors must work collaboratively, with trusted and open lines of communication to ensure the timeliest commu­nication of critical cyber-security information. The private sector represents a valuable source of operational intelligence, which must be harnessed in order to effectively communi­cate and drive action to reduce the consequences of pending attacks.

EET&D: We hear a lot about NERC standards and guidelines these days. Do you feel that the NERC CIP standards are adequate at this point?

Ahern: While the NERC CIP standards have been a catalyst towards private sector action, unfortunately the vague nature of the standards have left many questioning whether this has been simply an exercise or has it really enhanced the security of the bulk electric system? It is our observation, based upon interaction with our clients, that the standards are unclear and undefined (subject to interpretation), punitive vs assistive, unfunded and a moving target. Based upon feedback from clients presently undergoing audits, there appears to be widespread disparity in process and approach by the various audit entities. 

Our own internal analysis has shown that less than 15% of the total utility assets have been deemed “critical assets” with less than 10% of the total assets being deemed to have “Critical Cyber Assets”. This begs the questions: 1) from a bulk electric system security perspec­tive is the risk less today than before implementation of NERC CIP standards, 2) Does compliance equal “security”?, 3) has this been an exercise in futility that has driven a further wedge between Private Sector and Public Sector?

If the ultimate goal of critical infrastructure security regulations is to ensure public safety, national security and economic integrity then regulations have to provide equal amounts of incentives for compliance as they do penalties for non-compliance. A public sector/private sector relationship built upon trust and well defined goals and objectives will yield greater results. 

EET&D: As you look further down the road, what do you think will be the ultimate outcome of the battle to protect our critical infrastructure from the rising wave of malware and potentially debilitating attacks?

Ahern: With the introduction of the Smart Grid the challenge becomes greater, not easier. The possible
attack profile on critical infrastructure moves from nation/state adversaries and orga­nized crime to a possible domestic/civilian threat as intelligence is extended down to the consumer. The dependency on achieving a truly “Smart Grid” relies extensively on an intelligent, fully integrated “smart utility.” As such, far more of our critical assets will become intelligently interconnected, thus yiel­ding far more critical cyber assets that ultimately require security.

EET&D: And if there’s an “end game” here, what might that be, and in your opinion what do you feel has been learned thus far that you consider to be of lasting value?

Sikora: One of the greatest challenges we face in securing the bulk-electric system is establishing security for the current legacy infrastructure. At the time when much of the national electric infrastructure was installed, security was not at the forefront of design criteria. If there is a lesson to be learned as we contemplate future Smart Grid infrastructure investments, it is that security MUST be a key design criteria; not an afterthought. Presently the security of the electric utility supply-side infrastructure is vulnerable to attack; investments in consumer–side infrastructure ahead of securing the supply-side seems illogical.

EET&D: Brian, I’ll let you have the last word on this…

Ahern: I fully anticipate that security of the entire electric power “supply chain” will one day be regulated. The key focus now must be ensuring the integrity of the electric power supply infrastructure while – as Walter just said – ensuring the future Smart Grid infrastructure investments are secure from the day of installation rather than an afterthought.