Brian Contos, CISSP, VP and CISO, Blue Coat Advanced Threat Protection Group
As VP and Chief Information Security Officer in Blue Coat's Advanced Threat Protection Group, Brian Contos (Certified Information Systems Security Professional, CISSP) deals extensively every day with cutting edge security technologies and the complex issues they entail for organisations in all sectors and industries across the globe. He is also Ponemon Institute Distinguished Fellow and a featured blogger for CSO Online (a sister media property of CIO, parent title of CIO Asia). Contos took time off his busy schedule recently to answer a few questions regarding the current state of our critical infrastructures, and what we should do to make the Industrial Control Systems (ICSes) we have managing them more secure.
Give us your comparative reading of Industrial Control Systems being used across the world today to protect our critical infrastructures, particularly as they relate to how ready each system in each country is to counter attacks and malware, particularly those stemming from connection to the Internet.
It's impossible to state specifics about any given country's ICS versus another country's with a wholesale response. However, in general there are three categories of ICS security:
1. Higher Risk: Countries with older systems that have evolved to add network connectivity such as dial-up, wired ethernet, wireless ethernet, BluTooth, Serial over IP, ModBUS, DNP3, TCP/IP and the like often have a mix of modern and legacy controls. They are highly connected with legacy and modern protocols and often the older, connected systems offer little to no security, cannot support encrypted communication, cannot be patched, hardened, or even run common anti-malware, firewall and IPS solutions locally. Their risk to cyber attacks is high.
2. Medium Risk: Countries with more modern systems that are also taking advantage of strong security controls, and have little to no legacy equipment are highly connected but have several safeguards in place to keep them secure. They have fewer systems that are out-of-date, in end-of-life or engineered without connectivity and security in mind. Their risk to cyber attacks is medium.
3. Lower Risk: Countries with older systems that don't take advantage of digital controls and still operate in analog are generally less connected to digital systems including modern computers and the internet. Their risk to cyber attacks is lower, but they are also unable to benefit from the advantages of digitisation and are often replaced by newer more capable equipment.
Most countries have a mix of all three risk levels across various segments of critical infrastructure.
Sign up for CIO Asia eNewsletters.