April 5, 2005

By Jenny Carless, News@Cisco

The increasingly important role of technology in maintaining today's critical infrastructures is sometimes seen as a two-edged sword: as providers of transportation, energy and other infrastructures migrate their core business processes onto information networks and the Internet, they reap enormous benefits in terms of competitiveness, efficiency and quality of service. But there are also risks, because more technology can mean more potential for system failures.

Just released on CD-ROM, Securing Cisco Routers (SECR) is a free course from Cisco Systems that teaches the top ten steps to improving Cisco router security. It aims to raise awareness of the need to help ensure that Cisco routers used in critical infrastructure networks are configured securely based on industry best practices and Cisco IOS software features.

The popular, self-paced course is one of many ongoing projects of the Critical Infrastructure Assurance Group (CIAG) at Cisco, which plays an important role in raising the bar of security worldwide.

Public/Private Collaboration

The private sector in the United States owns and operates about 85 percent of the nation's critical infrastructures (e.g., transportation, banking, energy, manufacturing). Therefore continued, secure delivery of critical services to citizens and customers requires that public and private entities work cooperatively.

Since its inception in 2000, CIAG has worked to develop and implement homeland security and critical infrastructure assurance programs by utilizing the company's expertise in computing and network security. The group's three primary areas of focus are Workforce Development, Critical Infrastructure Research, and Policy & Standards Development.

A Trusted Advisor

CIAG has earned the reputation as a trusted advisor and partner to the federal government and others involved in developing policies and standards that guide the critical infrastructure protection effort.

"Cisco has expertise in networking and security, and we understand just-in-time supply chain management," says Ken Watson, who created and manages CIAG. "So we've been there; we have the requisite knowledge."

"The people involved in this arena represent enterprises and service providers," he adds. "These organizations have been our customers from the outset."

• Watson is chairman emeritus of the Partnership for Critical Infrastructure Security (PCIS), having helped the Department of Commerce create the group in December 1999. An initial meeting involved more than 200 companies and government agencies, and PCIS is still considered the best forum for cross-sector critical infrastructure coordination.
• Watson is also president of the National Cyber Security Alliance, which helps people with broadband connections keep them secure and keep their computers from being used as a tool by attackers. The group sponsors www.staysafeonline.info and an annual cyber security awareness campaign, which is supported by the Department of Homeland Security and many academic organizations and infrastructure providers.
• John Chambers, Cisco president and chief executive officer, is vice chair of the National Infrastructure Advisory Council (NIAC). Composed of 30 representatives of the private sector, academia and state and local governments, NIAC advises the president of the United States on the security of information systems for critical infrastructure supporting many sectors of the economy. CIAG actively supports this work.

One of the pillars of CIAG's trusted reputation is that it is not connected to Cisco products or short-term revenue. "We're conducting and sponsoring research that doesn't necessarily result in a Cisco product or service but rather is aimed at improving security for infrastructures worldwide," explains Greg Akers, senior vice president and chief technology officer for Global Government Solutions at Cisco. "As an example, CIAG is working on process control systems security, but Cisco is not in that market at all."

Securing the Delivery of Critical Services

CIAG works in many different arenas - with both government and the industry sectors - to secure the delivery of critical services.

For example, the SECR course is just one way it helps support workforce development through information assurance education. The free, hands-on course on security best practices is popular with police departments, universities, the electric power sector and many others for providing this critical information in a useful, accessible way.

CIAG's education program is committed to building strategic relationships with the Centers of Academic Excellence in Information Assurance Education (CAE/IAE) designated by the National Security Agency (NSA) as well as other universities contributing in the field of information assurance. CIAG educational activities include equipment donations, curriculum development, scholarships, internships and an innovative 'boot camp' for university faculty.

CIAG is also actively engaged in many research efforts. "We're on the leading edge of several new technologies and we're involved in seven standards committees, with a leadership role in three of those," says Watson. "We conduct and present research on topics from IPv6 security to control systems to BGP, DNS and other infrastructure protocols."

The focus of CIAG's research is securing critical infrastructures rather than solely focusing on network security. The group looks at common technologies and concerns across multiple industry sectors.

CIAG also supports the SCADA National Test Bed, through networking equipment donations and technical analysis of networking issues. This joint project involving Sandia National Laboratory and Idaho National Engineering Laboratory aims to evaluate security issues associated with electrical power infrastructure and other sectors that depend on electricity.

Today's advanced information networks can offer an array of benefits to government and industry sectors. But the security risks inherent in migrating business processes to these networks must not be ignored. CIAG and many other public and private organizations are working to help ensure that security remains a top priority as the world's critical infrastructures depend to an ever greater extent on sophisticated technology.

Visit Cisco Systems at FOSE, April 5-7, Washington Convention Center, Booth #3019.

Jenny Carless is a freelance writer located in Santa Cruz, CA.