The Federal Government’s new Critical Infrastructure Centre (CIC) is going through “the puppy dogs and rainbows stage” before the harsh realities of maintaining cyber defence set in, says a US cyber security expert.
Eric Cornelius is the director of critical infrastructure and industrial control systems at cybersecurity firm Cylance and previously spent 12 years in government, including serving at the US Department of Homeland Security as deputy director and chief technical analyst for the agency’s Control Systems Security Program.
Mr Cornelius has helped lock down more than 300 critical infrastructure projects across 20 countries.
Australia’s CIC sits within the Attorney-General’s department and was established in January this year. It aims to put the expertise to handle national security risks to critical infrastructure in a single location.
The CIC is working up a register of critical infrastructure assets and aims to manage national security risks by working co-operatively across government agencies, states and territories, regulators and private owners.
It is also working up risk profiles for assets that detail current and emerging threats.
The CIC has a discussion paper out on strengthening the national security of the country’s critical infrastructure and is taking submissions. The closing date for submissions is March 21.
Mr Cornelius has seen it all before in the US, and says Australia’s CIC is in the enthusiastic first phase.
“I’ve read through the position paper the Australian CIC released and what I see is they are sort of mirroring what we did in the US,” he said. “I would say from what I gathered from the document you guys are still in the puppy dog and rainbows stage where everything’s really nice and you going to build this nice national register.
“There’s nothing wrong there and there’s a benefit with all of that. But what’s going to happen is the government is going to find, similar to what we did, that the asset owner-operators don’t know where all their devices are.
“They don’t know the kind of devices they have, they don’t know their age. It’s not like you are working in an Active Directory environment where you can make a simple query to the domain controller and understand where all your devices are.
“It’s incredibly difficult to build an accurate asset inventory of critical infrastructure environments.”
Mr Cornelius sees developing automated tools that can build accurate asset inventories as one of the main challenges facing the industrial control system security industry.
“If the government had any resources to bring to bear, I would suggest they invest in creating some sort of technology that could perform automated inventory. I’m talking deeper than a network level, there are some companies out there that have packet network sensors that record devices that are speaking on the network
“That’s OK. They can see about 80 per cent of devices and that’s a good start. But 80 per cent is a long way from where you need to be if you are going to defend your environment from sophisticated threat actors.”
Mr Cornelius also questions the assumption in the CIC discussion paper that critical infrastructure owner-operators are going to be willing to hand over data to the government.
“At some level everybody cares about national security and it looks like there is going to be a law that requires people to register.”
“But this is a garbage in, garbage out process. If you get critical infrastructure owner-operators who are not truly drinking the Kool Aid and are just trying to be compliant and provide the minimal amount of information, they can provide enough information to be compliant but not to be truly useful and helpful.”
He says the CIC will need to be extremely careful of protecting the data it collects if it wants to maintain the trust of asset owner-operators under its purview.
“There are a number of reasons why asset owner operators can be become disenchanted with the process and once that happens it loses its value.”
This has already happened to some extent in the US, says Mr Cornelius.
“When people see no benefit in doing what they are doing and it becomes burdensome from a time perspective, they become disheartened very quickly.”
WikiLeaks recently dumped out thousands of CIA documents that expose how the spy agency can remotely hack smartphones, computers, TVs and even vehicles and turn them into an intelligence gathering device or in the case of vehicles, a possible assassination tool.
Mr Cornelius says the latest WikiLeaks revelations point to the inherent vulnerability in our day to day electronic devices, especially smartphones.
“The fact that the majority of people carry cell phones nowadays makes them an extremely attractive target. To somehow suppose that governments the world over are not dedicating efforts to compromising cell phones is super naïve.”
Mr Cornelius personal strategy is to stay disconnected from the online world as much as possible.
“I have no Facebook page, I don’t have a social media presence, I really go out of my way to minimise my own personal attack circuit.”