Kantor added that there are a number of US utility companies, along with industry research and trade associations that include the Electric Power Research Institute and the Utilities Technology Council, “that are supporting an amendment to an existing wireless communications standard to address reliability, coverage and security concerns of critical infrastructure networks or what they refer to as Field Area Networks (FANs).”
Lee also said he has seen an encouraging focus on security. “I've seen some critical infrastructure companies, such as in energy, that are extremely well prepared and could have detected targeted threats that have attempted to breach their organizations.
“As a community we need to ensure that this isn't the 5 percent of the community and is more widespread. But there are great successes,” he said.
Miller said there are “serious efforts” being made to improve ICS security. “In 2014 the US Department of Energy issued guidance for energy delivery systems and US ICS-CERT issued similar guidance for ICS procurement way back in 2009.”
But he acknowledged that vendors of ICS equipment are selling in a global market, where security pressures are not as great as in the US. And, as has been widely reported, large generators and other ICS equipment can cost well into six figures, cannot be easily retrofitted with security and are meant to last for 25 years or more.
The reality is that the ICS industry has a long way to go,” he said.
Gumbs agreed. “Security hasn’t always been viewed as a priority,” he said. “They don’t have the skills needed to keep up with attackers. They don’t have ability to hire or retain talent.
“It isn’t trivial to detect a sophisticated attack and it requires a large amount of people, skill and technologies in place to properly defend against them. Because the industry is just now prioritizing security, it will take some time before they can provide a formidable defense against sophisticated cyberattacks.”
Of course, a DDoS is not considered a sophisticated attack. It could still cause some significant disruption – Devost noted that, “if millions of IoT thermostats in homes and smart grid devices in commercial buildings are compromised and ask for maximum AC on a day in which there is excess demand in the grid, what would the impact be?”
But Gumbs said he thinks CI in the US is resilient enough to respond to such an attack without catastrophic disruption.
“A cyberattack on the scale that we’re talking about could be compared to a natural disaster, maybe,” he said, “and we’ve shown that we are fairly resilient when facing hurricanes, floods, earthquakes and more.”
He said a crash of the financial system would be worse. “This would undermine the trust we have in walking to an ATM and withdrawing cash, even paying for provisions if we were in an actual disaster.”
[ ALSO ON CSO: Security convergence in a utility environment ]
Kantor said he believes most utilities take security seriously. But he acknowledged that, “given the size and scope of the electric utility industry – there are more than 3,300 electric utilities in the contiguous US distributed over three million square miles – there are many areas of vulnerability, both physical and remotely.
“Infiltrating the critical communications infrastructure is the easiest and most anonymous way to cause major disruption. We’re now facing a world where hackers are getting smarter and hacker communities exist where knowledge and advancements in DDoS code is shared.”
So, lowering the threat of a DDoS against utilities or other CI may require an improvement in IoT security. And some experts say the market won’t do it – that it will take a push from government.
Schneier, in his recent post, said there is, “a market failure at work” when it comes to IoT security, because neither the sellers nor the buyers of devices really care about it.
“It’s a form of invisible pollution,” he wrote, “and, like pollution, the only solution is to regulate,” with things like minimum security standards and/or making it easier to sue manufacturers if their products are used in DDoS attacks.
“The details would need to be carefully scoped, but either of these options would raise the cost of insecurity and give companies incentives to spend money making their devices secure,” he wrote.
That may be under way soon. U.S. reps. Frank Pallone Jr. (D-NJ) and Jan Schakowsky (D-IL) wrote a letter dated Nov. 3 to Federal Trade Commission Chairwoman Edith Ramirez “urging” the agency to, “use all the tools at its disposal to ensure that manufacturers of IoT devices implement strong security measures to best protect consumers from cyberattacks.”