Employees put critical infrastructure security at risk

25.01.2013, von Matt Hines

Critical infrastructure providers' worst security vulnerability may be their employees.

Last week, the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) detailed two separate incidents where IT systems connected directly to key energy industry assets were found to be infected with malware that had been deployed using infected USB drives, highlighting gaps in the organizations' basic security controls.

Over the last year, concerns about power grid infrastructure security have grown as malware such as Stuxnet and Flame highlighted vulnerabilities in important industrial controls systems (ICS) systems.

Given the sheer complexity of protecting long-embedded SCADA (supervisory control and data acquisition) software systems -- originally designed for use in walled environments and now exposed to the Internet -- it's not hard to understand why infrastructure providers still struggle to tighten security.

However, the largest obstacle isn't technical quandary, but the continued inability of IT security and operational management teams to partner effectively.

"It's actually pretty discouraging how little has changed, based on this lack of cohesiveness between the IT security teams and the operational staff responsible for maintaining uptime of industrial systems," said Avivah Litan, a senior security analyst with Gartner. "There's still a culture of organizational bureaucracies and territorialism, and little urgency to get things done; everyone reports to their own boss, workers are not pushed to work together and despite all the attention few CEOs or executives seem focused on the problem."