National Infrastructure Vulnerability Nation Infrastructure This Report

National Infrastructure Vulnerability

Nation Infrastructure

This report covers how the United States does and should address threats to its critical national infrastructure. Vulnerability to attacks like the SCADA/Stuxnet worm will be addressed as well as mitigations as they relate to the seven domains. The assessment of levels of responsibility to protect both the public and private sectors will be covered as well as the elements of an effective IT security policy framework. No less than three scholarly resources will be used for this report, as per the parameters of the assignment.

SCADA/Stuxnet

The Stuxnet word made major shockwaves when it came to be known fully in roughly 2010. Presumed by many to be the product of cooperation with the Israeli and United States governments to attack Iran and perhaps inhibit their ability to manufacture and process nuclear devices and materials, the worm specifically attacks Siemens (SCADA) devices that relate to the data management of infrastructure devices. While this attack was clearly targeted at Iran, such a methodology and attack could certainly be turned around and used against the United States and/or other Western nations and this would obviously have horrible effects (Goodin, 2010).

Mitigations across the Seven Domains

The seven domains of IT infrastructure must be managed by the government to protect both the public and private sector. These seven domains are user domain, workstation domain, LAN domain, LAN to WAN domain, remote access domain, WAN domain and System/Application Domain. There are two basic elements that can be used to fight attacks from computer viruses, other malware, social engineering and computer worms like Stuxnet and other more common viruses and worms. Those two tools are user education and deployment of security solutions. Not all solutions are obvious. An established antivirus and anti-malware system across all domains is a must, of course (UMW, 2013).

However, the increase and ferocity from tactics such as social engineering, user carelessness and the like can be very problematic as well. Examples of social engineering would be criminals using social tactics and ploys to get information that they cannot or should not have. User carelessness includes losing of laptops and other important equipment, leaving workstations unsecured and so forth. Users must be educated on what to do, what not to do and users must be disciplined if they screw up. Lastly, users must be protected from themselves via tactics like laptop encryption, idle timer lockouts and so on (UMW, 2013).

Responsibility Assessment

As far as how to assess levels of responsibility to protect the public and private sector, that can also be broken into two major parts. The high-level IT personnel as well as the agency executives themselves need to construct the best practices, best prevention technology and tactics in general and then the users and other employees must be instructed to use them with enforcement or other measures for those that cannot or will not do their job correctly. This is perhaps an over-simplification but this report's length does not allow the author to give the subject justice. Suffice it to say that the management (both IT and non-IT) need to have all procedures and technology current and as cutting-edge as possible and employees need to be hired carefully and trained well so that there is no proverbial egg on the fact if/when a mess is created (UMW, 2013).

IT Security Policy Framework

Establishing an IT security policy that is effective, all-encompassing and proper requires several proverbial "legs" to the stool. A nice offering from tech punditry giant ZDNet offered seven components to an effective IT security policy. Those seven components, in the order in which they were mentioned for the story, were security accountability, network service policies, system policies, physical security, incident handling and response, behavior and acceptable use policies and security training. In short, it's a more drawn out explanation and example of the two broader arenas of counteractions mentioned above, those being user training/handling and they security infrastructure they operate in. The conclusion of the article notes that all of the seven steps mentioned above should be reassessed either quarterly (at a maximum) or at any point in which a configuration change occurs in the IT infrastructure of the firm or agency in question (Taylor, 2001).