This is an excellent piece. William Church has taken infrastructure protection to a more defined level where it needs to be. It is Infrastructure Protection, Stupid; not Computer Security It is hard to blame corporations for confusing computer security with infrastructure protection; after all, the President's Commission on Critical Infrastructure Protection spent $20 million and produced a report on computer security and not infrastructure protection. How can you blame either of them with all the talk of firewalls, hacking, cracking, anti-virus, sync floods? In military terms, the problem is similar to placing a guard in front of every building and calling that a defense plan. The vulnerability is the relationship of the infrastructure and its individual parts as a whole and its internal and external links. The focus on computer security fails to recognize that systems can be affected by destroying a crucial system link without directly touching the targeted system. What good is a secure computer if the data transmission lines are unsecured and public? How do you protect an electric power distribution system if the operating system is shared with similar systems throughout the world? Infrastructure protection requires a systemic approach which accounts for a wide range of vulnerabilities that could be both "information/cyber" and physical attacks. According to our records, more credit cards are stolen every year by physical theft-stealing a computer-than by what is commonly called hacking. There is no need to destroy a competitor's production control computer if a linked systems is blocked from providing data about key variables used to calculate a final formula. Just as there is no need to destroy a electric power system if you can block the delivery of coal to the power plant, and that may be the best example today of infrastructure vulnerability. The Union Pacific merger with Southern Pacific resulted in significant infrastructure problems. Today, the United States Army has issued an order suspending the use of Union Pacific to ship supplies because of the high accident rate and lost cargo problems. The media has reported problems that range from coal not getting delivered to power plants to corn rotting in silos because Union Pacific can't track its railroad cars. And this isn't counting the five accidents they have had with multiple fatalities. This best represents the real infrastructure threat and it is complex with no simple solution. It demonstrates that a corporation or nation can be hurt by an indirect hit and that is why a systemic approach is necessary. Unfortunately, everyone wants a simple fix. No one organization can see the whole picture so it looks unsolvable. The computer department takes responsibility by putting up a firewall. The telecom department takes responsibility by securing its network. But no one thinks outside their area about related vulnerability. Why is this important? For the United States the next large infrastructure test will be the transition associated with the Year 2000 problem. A Y2k fix requires not only internal system focus but a fix of all systems linked together to eliminate any possible correction of the data. For example, an internal scientific system may look up a date table in an external system, and this could be a source of corrupted data. The outcome is certain. As a society becomes more reliant on an interconnected infrastructure, the chance for a systemic failure becomes higher. On that date, true computer security will be reached. Systems will be isolated; therefore, finally secure. William Church Managing Director Editor, CIWARS The Centre for Infrastructural Warfare Studies http://www.iwar.org iwarat_private Affiliate: The Infrastructure Assurance Institute Betty O'Hearn Assistant to Mr. Winn Schwartau 813-360-6256 Voice 813-363-7277 FAX http://www.infowar.com http://www.info-sec.com Everybody gets so much information all day long that they lose their common sense. - Gertrude Stein, American author (1874-1946).
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:04:24 PDT