Welcome to Lesson 32.
In this lesson, we're going to start taking a look at alternative solution to
today's cybersecurity problem.
When faced with any problem, you have at least four choices.
One, you can ignore it.
Two, go around.
Three, go over.
Or four, go through it.
The current approach to cybersecurity may be likened to the option number four,
go through it with all it's intended uncertainty and risk.
I hope this course has made clear why option one, ignoring the problem,
isn't even a consideration.
But what about option two?
Can we go around?
Another way of putting this is to ask, can we go back?
Certainly there was a time before the Internet,
when cybersecurity wasn't the problem.
If we think about it, this option suggest two alternatives.
One, disconnecting from the Internet.
And two, reverting to a purely manual controls particularly with guard to
cyber physical systems, i.e., industrial control systems.
Let's take a quick look at the first alternative,
disconnecting from the Internet.
As we mentioned in lesson 15, disconnecting from the Internet,
really is not an option.
We sighted the stuxnet virus as an example.
For those of you not familiar with stuxnet, it was the supply chain attack
perpetrated against Iranian nuclear research facilities in 2010.
Stuxnet targeted Siemens centrifuges used to refine nuclear materials.
The worm was likely introduced by a thumb drive sometime after manufacture and
set to work after the devices were installed In other words the worm jumped
the air gap and manage to make its way into a highly secure
facility without using the Internet.
Certainly screening methods can help avoid similar type problems in the supply chain,
but then there are some sectors of critical infrastructure that quite
literally can't afford to disconnect from the Internet.
The electricity sector is one of them.
For instance, the Energy Policy Act of 2005 opened access
to long distance transmission lines, allowing cheaper electricity
from one region to be purchased by utilities in another region.
The monitoring and control required to facilitate such
transmission cannot be accomplished without network access to controls.
Similarly the energy independence and
security active 2007 promotes the implementation of smart grid technologies.
Smart grid is a general collection of capabilities designed to reduce
electricity demand by monitoring and reporting usage.
Again, such capability cannot be achieved without network monitoring and control.
So can we revert to manual controls?
There's good reason why industry gravitated away from manual controls,
chief among them was to reduce labor costs.
But even if industry wanted to return to manual controls,
the previous cited examples work against this alternative.
Again stuxnet was able to jump the air gap and the timing requirement,
and volume of traffic for managing the electric grid are too fast and
too much for humans to intervene manually.
The same goes for traffic management for systems and
the transportation sector and monitoring transactions in the finance sector.
In short there is no going back.
We can't go around the cybersecurity problem.
So what about option three, going over?
We'll save that for our next lesson.
Meanwhile, let's review the main points from this one.
One, there are always four options to any problem.
One, ignore it.
Two, go around.
Three, go over.
Or four, go through it.
Two, the current approach to cybersecurity may be describe as option three,
go through it.
Three, option two go around, so just two alternatives.
Disconnecting from the Internet and reverting to manual controls.
The Struxnet worm reported in 2010, demonstrates the ability
of a cyber attack to jump an air gap and bypass the Internet.
And both the Energy Policy Act of 2005 and Energy Independence and
Security Act of 2007 require network connectivity to achieve their provisions.
The speed and volume of traffic required for managing the energy, transportation,
and finance sectors are beyond the ability of manual intervention.
So in short,
There's no going back; we cannot go around the cybersecurity problem.
Please join me next time as we look at going over the cybersecurity obstacle and
examine technologies that might eliminate the problem.
See you then.
Richard WhiteAssistant Research Professor
