* Employ integrated security management: Security management solutions need to become more than just antivirus protection and log-management mechanisms. Security systems also need to address the applications themselves, leveraging Layer 5 firewalls. The security systems must employ constant monitoring of vulnerabilities and patches, understand and respond to anomalies in system, application, and user behaviors within and across the connected networks, and engage in big data security analytics across multiple sectors to develop industrywide threat intelligence. "Security leaders really need to take a step back and reconsider the option of security consolidation where threat information from multiple vectors can provide deeper end-to-end threat intelligence," Sheth-Voss adds. [Also see: ""]
* Develop regulations with accountability: Regulations and best practices need to be defined, created, mandated, applied and enforced such that they cross over both the enterprise and the critical infrastructure entities. The Department of Homeland Security, the Department of Defense (DOD) and the Department of Energy (DOE) need to be at the forefront of fostering best practices and standards. The appropriate government entities should consider making funds for such purposes available to institutions farther down the chain beyond the capital goods vendors -- such as the local/state entities that put the industrial control systems in place. In the end, the value of security must be described and demonstrated. "The North American Electric Reliability Corporation (NERC) CIP5 set of cybersecurity standards, as one example, is being defined to focus on security as opposed to just compliance, but it will be a few years before we can see it in action," Cianfrocca says.
* Manage identities as humans: Security must focus on human behavior. Human-centric security is about recognizing that a digital identity is actually a human being; humans have patterns and behaviors that can be modeled and risk can be adjusted based on a number of factors. "Humans tend to make more mistakes on Mondays and when they work more than 12 hours," says Brown. "Humans are more vulnerable to coercion when they have recently been divorced or have money issues; this can't be ignored." Of course, the human factor is present in the critical infrastructure and many safeguards are in place to manage the physical aspects of humans. These same human-oriented safeguards need to be extended to the enterprise infrastructure as well.
* Establish cross-sector communications: Critical infrastructure entities, government institutions and the private sectors that enable them need to share threat intelligence, working together as a common force to track down these would-be attackers. U.S. Secretary of Homeland Security Janet Napolitano recently told the Senate Homeland Security and Governmental Affairs Committee that "we need the information-sharing, and it needs to be real-time. It makes commons sense." Organizations and government agencies need to get over their hangups on sharing information, no longer treating existing and emerging threats as information that requires clearance levels above top secret. It needs to be done in a way that doesn't tip off the bad guys, so maybe some legislative work coupled with a neutral third-party entity could help to build and share this cross-entity threat intelligence.
* Identify new technologies: One example of critical infrastructure protection is to utilize technologies that reduce (if not eliminate) vulnerabilities altogether. One such example is use of BAE's STOP OS -- built especially for the DOD -- which does not require patches, thereby eliminating the need for staff and security experts to patch the infrastructure systems. Another option for secure virtual operating systems is Joyent's GuardTime-enabled , which prevents independently verified operating system modules and third-party applications from executing if they have been compromised in any way.