If theres an upside to reports over the past week that the U.S. natural gas pipeline sector has been the target of potentially threatening cyber intrusions, at least we know this: the industry voluntarily came forward about it, in this case to a body at the U.S. Department of Homeland Security known as the Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT), which keep tabs on risks to the countrys critical infrastructure and natural resources.
As first reported by the Christian Science Monitor, since March DHS has been alerting organizations to a cyber-threat campaign aimed at industry networks (and which investigators believe may be linked to the 2011 cyber attack on RSA, Inc.). Last week, DHS confirmed as much in a public monthly bulletin [PDF], which in addition to describing the cyber attacks in question, also highlighted how DHS came to be alerted in the first place:
In this particular campaign, reporting organizations enabled ICS-CERT to analyze the data and create an overall view of the activity in progress. This would not have been possible without the active cooperation of the reporting organizations, so ICS-CERT commends those involved and requests continued private sector reporting whenever possible. ICS-CERT provides secure portal access to critical infrastructure asset owners and government agency personnel who are tasked with protecting critical infrastructure.
Thats not empty praise, but rather evidence of a huge step forward in information sharing between U.S. business and government, according to industry experts.
This is a sea change in how organizations deal with problems, says James Arlen, a senior consultant for Taos, an IT consultancy. Weve got positive information sharing in a place where we wouldnt expect to find positive information sharing.
Owning up to a mistake or disclosing a weakness is difficult, particularly for private corporations and those who oversee their technology systems, Arlen says. Admitting that you had a breach is something thats still very difficult for private industry, he says, because your job as a defender is to ensure that no one ever gets through the wall.
Arlen says this instance is part of an ongoing maturation process in the areas of information security and information sharing. Its a process rooted in trust building between government and industry thats been more than 10 years in the making, he says, and the language in the DHS bulletin is a nod to the fruits of those labors.
Its an example of appropriate praise for an industry that has matured to the point where information sharing is an obvious thing to do, Arlen says, referring to the DHS report. This is recognition on the part of government that theres a level of understanding that problems for one organization or problems for one industry can be problems for everyone. Rather than attempting to keep ones problems secret, sharing the potential issue and helping to create a greater understanding or a more proactive stance is, frankly, an incredible step forward.
The Interstate Natural Gas Association of America concurs. This does show that theres a collaborative effort, and that people did do what theyre supposed to do, says spokeswoman Cathy Landry. And what theyre supposed to do is notify ICS-CERT if they suspect or if theyve been victim of a cyber intrusion.
But for many utilities companies, the fear of regulatory scrutiny remains a big hurdle to sharing such information with the government, says Patrick Miller, president and CEO of EnerySEC, a nonprofit resource for information sharing and best practices.
Theyre afraid it will come back to them in some way, shape, or form as a regulatory issue, Miller says.
He notes that theres essentially a firewall between ICS-CERT and the regulatory arm of DHS. That makes ICS-CERT seen as more trustworthy to industry, he says.
All of this comes down to people trusting people, Miller says. You dont share unless you trust someone.
See also: An Ex-FBI Cybersecurity Expert’s Dire Warnings for Corporate America, CorpCounsel, April 2012.
