Interview: Critical Infrastructure Security Perspectives From Bruce Schneier
A couple weeks ago we asked Bruce Schneier if he would be kind enough to respond to a few questions about security related to critical infrastructures such as the power grid. We are delighted and honored that Mr. Schneier would take the time from his busy schedule to answer our request! Below is a perspective that we are certain you will find interesting and useful in your quests to build and support practical security solutions at your organization.
Q1: There seems to be a great deal of fear and hyperbole about potentially catastrophic cyberattacks against critical infrastructure such as the power grid. How do we clear away the hype and determine what threats realistically exist and what should the industry consider doing about them?
Bruce: With expertise. Like everything else complicated and technological, there is core information buried amongst the hype. The trick is to dig out that information, and that requires expertise in the subject matter.
The national power grid is vulnerable to malicious cyberattack, and also to random mistakes and problems. Many of us believe that a computer worm was one of the causes of the blackout in the northeastern United States in 2003, for example. The worm's authors did not intend to affect the power grid -- and probably couldn't have deliberately done it on a bet -- but the worm affected Windows computers which, in turn, affected power control systems.
More worrisome are targeted attacks. The 'movie-plot threat' everyone talks about are terrorists dropping the power grid with a cyberattack. This is largely hyperbole, but it's still a risk worth paying attention to. But, yes, the hype mostly obscures the real issues.
Q2: In many circles, people continue to look for technological silver bullets (i.e. encryption) to the security risks we face. Can technology alone solve the problem? If not, how do we best make that point, and what is the answer?
Bruce: This is no different than everything else. There is no single answer. There are no silver bullets. And technology alone can't solve anything. But technology is part of every solution, and research into defensive technologies -- like encryption -- resilience technologies, and recovery technologies will together secure critical computer systems like those on the power grid.
Q3: You have some experience in the area of security monitoring. Given the increasing sophistication of attackers, what is required from a monitoring program to effectively detect and respond to attacks before they can do real damage?
Bruce: The answer to this question can fill a book, and there are several books about this topic. Good monitoring is comprehensive and agile. It needs to respond quickly before, as you say, attacks can do real damage. We can argue about whether this is even possible, which is why building resilient systems that can recover from attacks is so important.
Q4: These days, everybody talks about information sharing, but few if any can explain what the term means. How can information sharing improve our cyber security efforts? What type of data needs to be shared, how, and with whom?
Bruce: All of it. Broadly. With everyone. I know: no one wants to hear this. Keeping information confidential is how American business works. But it's counter to good security. Security by obscurity no longer works here; openness is critical.