Critical Infrastructure - Deloitte
Cybersecurity forcritical infrastructureGrowing, high-visibility risks callfor strong state leadership
Cybersecurity for critical infrastructure Growing, high-visibility risks call for strong state leadershipIn 2012, Defense Secretary Leon Panetta famously warned that theUnited States risked a “cyber-Pearl Harbor” with the potential for hackersto silently derail trains, release lethal chemicals, contaminate the watersupply, or shut down the power grid. As adversaries change their motivesand cyberattack techniques, the topic of cybersecurity is expanding farbeyond citizen data protection: It is now an urgent public safety concern.Cyberattacks on criticalinfrastructure have grownincreasingly sophisticated—withgreater potential impact.For financial, political, or military gain, recent attacks wereresponsible for shutting down Ukraine’s power grid, “selfdestruction” of centrifuges in a uranium-enrichment plant inIran, holding a Los Angeles hospital’s medical records for ransom,and infiltration of email and fare-collecting systems for SanFrancisco public transit. To date, damages have been limited tofinancial loss, inconvenience, and negative publicity, but cyberattackson critical infrastructure clearly have the potential to pose seriousproblems, from service disruption to physical threat to human lives.Cybersecurity in the newsIncreasingly sophisticated cyberattacks on critical infrastructure have placed governments worldwide on high alert.Stuxnet malware targeted atindustrial control systems“Stuxnet had been specificallydesigned to subvert Siemens systemsrunning centrifuges in Iran’s nuclearenrichment program financialgain had not been the objective. Itwas a politically motivated attack. The implications go beyond statesponsored cyberattacks.” DavidKushner, “The Real Story of Stuxnet,”IEEE Spectrum, February 26, -real-story-of-stuxnet.2December 2015 cyberattackon Ukraine power grid“ well planned and brilliantlyexecuted it was a first-of-its-kindattack that set an ominous precedentfor the safety and security of powergrids everywhere the peoplein charge of the world’s powersupplies have been warned. Thisattack was relatively short-lived andbenign. The next one might not be.”Kim Zetter, Wired, March 3, unprecedentedhack-ukraines-power-grid.February 2016 ransomwareattack on LA hospital“The attack forced the hospital toreturn to pen and paper for its recordkeeping. cyberattacks on hospitalshave become more common in recentyears as hackers pursue personalinformation they can use for fraudschemes.” Richard Winton, “Hollywoodhospital pays 17,000 in bitcoin tohackers; FBI investigating,” LA Times,February 18, ml.November 2016 SF public transitpayment system and email hack“Attacks like this could happenanywhere and wreak far more havoc.And they almost certainly will, becausethe American public transit systemsthat make daily life possible for millionsare an easy target. Many are agingand underfunded, with barely enoughmoney to keep the trains running, letalone invest in IT security upgrades.”Jack Stewart, “SF’s Transit Hack Could’veBeen Way Worse—And Cities MustPrepare,” Wired, November 28, k-couldve-wayworse-cities-must-prepare/.
Cybersecurity for critical infrastructure Growing, high-visibility risks call for strong state leadershipState critical infrastructureprotection should addresscyber threatsStates have cybersecurity programs focused on citizen dataprotection and often separately run programs to protect criticalinfrastructure. Cybersecurity specifically for critical infrastructure isa missing piece that poses an increasingly urgent risk. Cyberattackspresent unique challenges: Cyber threats lack distinct borders. The tactics and technologies are constantly evolving. Both public and private sector entities manage criticalinfrastructure at risk for cyberattack, requiring a coordinated effortand information-sharing processes that currently do not formallyexist in many states.As guardians of public safety, state leaders are expected to identify,protect, detect, respond, and recover swiftly and effectively from anydisruption to critical infrastructure to reduce damage and restoreoperations and services. Currently, most critical infrastructureprotection programs only address physical threats, leaving statesvulnerable to cyber threats ranging from service disruption topublic safety concerns. States need to expand their risk mindset toinclude cyber risks and lead a statewide, public-private collaborationfocused on sharing information, raising awareness of roles that allgroups involved should play, and establishing a unified response tocyberattacks on critical infrastructure.Building an effective program will require time, commitment, andclose cooperation between public and private entities, as well asinterstate and federal agencies, including: Leadership support at the highest level of state government tosecure funding and broad engagement; ideally, sponsored anddriven by the Governor’s office. State-led coordination of public and private entities, includingdeveloping a framework approach for guiding practices toestablish open communications, leverage strengths, defineroles and responsibilities, fill skills and resource gaps, and helpteams work together effectively to deter, detect, and initiate aneffective response to cyberattacks. This can also help identifycommonalities across critical infrastructure components.The National Institute of Standards and Technology (NIST)Cybersecurity Framework (CSF) Core Elements can be leveragedas a guide for looking at the critical elements (www.nist.gov/cyberframework/csf-reference-tool). A state agency serving as an information-sharing engine forall entities involved and providing access to services thatspecifically support a strengthened cybersecurity posture forcritical infrastructure. Ongoing cooperation between diverse, dispersed groups, includingmany that have not worked together in the past: IT cybersecurityspecialists dedicated to individual state agencies; emergencymanagement and law enforcement teams responsible for on-theground response to critical infrastructure emergencies; privatesector cybersecurity and disaster response teams; and otherentities responsible for securing critical infrastructure. Utilization and coordination with federal partners such asDepartment of Homeland Security (DHS) Physical SecurityAdvisors, DHS Cybersecurity Advisors, and liaisons fromcybersecurity agencies such as the National Cybersecurity andCommunication Integration Center. A point of contact within the state tasked with contributing toexisting federal databases and leveraging existing informationto conduct more well-informed risk assessments on criticalinfrastructure in the state.In short, every state should be actively preparing to protect criticalinfrastructure from cyberattack, a serious risk that will require aserious commitment of resources and leadership.Currently, most critical infrastructureprotection programs only addressphysical threats, leaving states vulnerableto cyber threats ranging from servicedisruption to public safety concerns.3
Cybersecurity for critical infrastructure Growing, high-visibility risks call for strong state leadershipNew mindset for managing cyberrisk to critical infrastructureWith cyberattacks on critical infrastructure of increasingconcern and rising severity, states need to view hiring andtraining of cybersecurity resources through a new lens. Inaddition to technical skills, an effective program will requireleaders who can encourage strong public-private collaborationand open information exchange. In particular, private sectorentities should be able to share sensitive information aboutpotential vulnerabilities around their ability to protect criticalinfrastructure from cyber risks without fear of reprisalor concern that the information will be made public.abnormal conditions and expedite responses are essential toreducing harm to the public when attackers are successful.New skill combinations will also be essential. Cybersecurityspecialists and teams responsible for critical infrastructure willneed to consult with each other and expand their skillsets todevelop a complete, accurate picture of vulnerabilities, issueseverity, and possible impacts. For example, to accuratelyreflect risk exposure and protect the power grid fromcyberattack, states will need combined expertise in cyberand the cascading impacts of destabilizing the physical powerstations. It is also important to consider that preventivemeasures are not always foolproof. Improving awareness ofhow new threats present themselves and being able to detect Cybersecurity risk analysis and prioritization in the event of adisruption of service or physical harm to citizensDefining critical infrastructureAn effective program will require a team with the skills to establish: Strong relationships with private sector and federal partners Well-defined roles and responsibilities and consistent andinformed communications Mechanisms to present and receive feedback, raise awareness,support information exchange, and promote action An operational plan to share and maintain cybersecurity information Training and coordination for multi-disciplined response teams—search and rescue, emergency medical support, IT cybersecurityspecialists, as well as leaders in the public and private sectors Initial and ongoing requirements for equipment and softwareEach state will need to assess existing resources and begin trainingto fill skill and information gaps.Presidential Policy Directive 21, Critical Infrastructure Security andResilience, identifies 16 critical infrastructure sectors. 2The US Department of Homeland Securitydefines critical infrastructure as “the assets,systems, and networks, whether physical orvirtual, so vital to the United States that theirincapacitation or destruction would have adebilitating effect on security, nationaleconomic security, national public health orsafety, or any combination thereof.”1ChemicalFinancial servicesCommercial facilitiesFood and agricultureCommunicationsGovernment facilitiesCritical manufacturingHealth care, public healthDamsInformation technologyState cybersecurity programs should reflectthe specific vulnerabilities of any criticalinfrastructure the state relies on for publichealth, safety, and prosperity.Defense industrial baseNuclear reactors, nuclear materials and wasteEmergency servicesTransportation systemsEnergyWater and wastewater systems1.U.S. Department of Homeland Security, “What is Critical Infrastructure?” Last published October 14, 2016, .The White House, Presidential Policy Directive 21 (PPD-21), “Presidential Policy Directive — Critical Infrastructure Security and Resilience,” February 12, critical-infrastructure-security-and-resil.4
Cybersecurity for critical infrastructure Growing, high-visibility risks call for strong state leadershipGetting started: Understandingthe state of your stateBuilding a cybersecurity criticalinfrastructure program takes time, carefulplanning, and ongoing support fromthe state’s Governor, state and federalagencies, and public and private entitiesoverseeing critical infrastructure. The firststep is often the most difficult but it is alsoarguably the most important. Keepingit simple and straightforward will helpaccelerate the process.The first step is helping key players ingovernment understand the severity,urgency, and potential impacts of differenttypes of cyber threats and the need to takeimmediate action. From there, the process isabout assessing potential exposure. Statesshould challenge themselves to ask thetough questions. Are the right people awarethat this is an issue? Who is responsible for managing the risk? Do we know our attack footprint? What are we doing to address theissue and manage it going forward?Once a basic understanding of potentialexposure is developed, states can beginto move forward on a plan for bringing theright people and skills together to build asuccessful program. Maintaining focus andnot losing sight of the mission will keep youon the path forward.5
Cybersecurity for critical infrastructure Growing, high-visibility risks call for strong state leadershipWhat next?State leaders are best positioned to understand critical infrastructure risks within theirstate and develop programs to help mitigate and respond effectively to the wide varietyof cyber threats they might face. However, to be successful, states will need to cultivatethe skills, culture, and mindset for public-private collaboration on critical infrastructureprotection programs that account for the possibility of cyber disruption.To learn more about how Deloitte can help your state evaluate options, visit our website orcontact our team of critical infrastructure cybersecurity specialists:Srini SubramanianPrincipal, Deloitte Risk and Financial AdvisoryState Cyber Risk Services LeaderDeloitte & Touche LLP 1 717 651 6277ssubramanian@deloitte.comMike WyattManaging Director, Deloitte Risk and Financial AdvisoryCyber Risk ServicesDeloitte & Touche LLP 1 512 226 4171miwyatt@deloitte.comDaniel GabrielSenior Manager, Deloitte Risk and Financial AdvisoryCyber Risk ServicesDeloitte & Touche LLP 1 704 887 1654dgabriel@deloitte.comAndrea LeStarge, MSManager, Deloitte Risk and Financial AdvisoryCyber Risk ServicesDeloitte & Touche LLP 1 414 977 2281alestarge@deloitte.com6
Further readingExecutive order expected on cybersecurityJose Pagliery, “Big changes in Trump's cybersecurity executive order,”CNN, January 31, ump-cybersecurity-executiveorder/index.html.Time Person of the Year 2016 No. 3The Hackers. Matt Vella, “They made vulnerability the new normal and took aim atdemocracy itself,” Time 016-hackers-runner-up.Department of Homeland Security 2013 report on improving cybersecurityfor critical incentives-study.pdf.National Institute of Standards and Technology (NIST) framework forimproving cybersecurity for critical infrastructurewww.nist.gov/cyberframework.White House policy on icy/cybersecurity.7
This article contains general information only and Deloitte Risk and FinancialAdvisory is not, by means of this document, rendering accounting, business,financial, investment, legal, tax, or other professional advice or services. This articleis not a substitute for such professional advice or services, nor should it be usedas a basis for any decision or action that may affect your business. Before makingany decision or taking any action that may affect your business, you should consulta qualified professional advisor. Deloitte Risk and Financial Advisory shall not beresponsible for any loss sustained by any person who relies on this article.As used in this document, “Deloitte” and “Deloitte Risk and Financial Advisory”means Deloitte & Touche LLP, which provides audit and enterprise risk services;Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and otherconsulting services; and its affiliate, Deloitte Transactions and Business AnalyticsLLP, which provides a wide range of advisory and analytics services. DeloitteTransactions and Business Analytics LLP is not a certified public accounting firm.These entities are separate subsidiaries of Deloitte LLP. Please see http://www.deloitte.com/us/about for a detailed description of our legal structure. Certainservices may not be available to attest clients under the rules and regulations ofpublic accounting.Copyright 2017 Deloitte Development LLC. All rights reserved.
Presidential Policy Directive 21, Critical Infrastructure Security and Defining critical infrastructure Resilience, identifies 16 critical infrastructure sectors.2 The US Department of Homeland Security defines critical infrastructure as "the assets, systems, and networks, whether physical or virtual, so vital to the United States that their
XaaS Models: Our Offerings @DeloitteTMT As used in this document, "Deloitte" means Deloitte & Touche LLP, Deloitte Tax LLP, Deloitte Consulting LLP, and Deloitte Financial Advisory Services LLP. These entities are separate subsidiaries of Deloitte LLP. Deloitte & Touche LLP will be responsible for the services and the other subsidiaries
Deloitte & Touche South Africa is referred to throughout this report as Deloitte South Africa, and Deloitte Pan African Trust is referred to throughout this report as Deloitte Africa. Deloitte Africa holds practice rights to provide professional services using the Deloitte name which it extends to Deloitte entities within its territory,
May 02, 2011 · Deloitte & Touche LLP Cleveland, Ohio 1 216 589 5717 tgriffiths@deloitte.com Theresa Cui . Engagement Consultant . Deloitte & Touche LLP . Cleveland, Ohio Cleveland, Ohio 1 216 589 5018 1 216 . tcui@deloitte.com . Kathie Schwerdtfeger Advisory Principal Deloitte & Touche LLP . Austin, Texas 1 512 691 2333 . kschwerdtfeger@deloitte.com .File Size: 720KB
Knabe, Andrea Consulting Deloitte Consulting LLP Chicago Kwan, Anne Consulting Deloitte Consulting LLP San Francisco . Miller, Christian L. Tax Deloitte Tax LLP Washington DC . Smith, Sandra Consulting Deloitte Consulting LLP Chicago Spangrud, Chad Audit & Assurance Deloitte & Touche LLP Costa Mesa Springs, Christanna R. Tax Deloitte Tax .
** Deloitte Risk Advisory, Löffelstrasse 42, D-70597 Stuttgart, Germany, anlanger@deloitte.de *** Deloitte Legal, Schwannstraße 6, 40476 Düsseldorf, Germany, fwesche@deloitte.de **** Deloitte Risk Advisory, Löffelstrasse 42, D-7059
Deloitte MCS Limited is a subsidiary of Deloitte LLP, the United Kingdom member firm of DTTL. . Jason Geller jgeller@deloitte.com. Deloitte Consulting LLP. Asia Pacific & China. Jungle Wong junglewong@deloitt
Nov 21, 2013 · Deloitte Deloitte & Touche LLP Ten Westport Road P.O. Box 820 Wilton, CT 06897-0820 Tel: 2013 761 3000 Fax: 1 203 834 2200 www.deloitte.com October 29, 2013 Elizabeth M. Murphy
Pearson Edexcel International GCSE (9–1) Accounting provides comprehensive coverage of the specifi cation and is designed to supply students with the best preparation possible for the examination: Written by highly experienced Accounting teachers and authors Content is mapped to the specifi cation to provide comprehensive coverage Learning is embedded with activities, revision .
