In Cyber Attacks: Protecting National Infrastructure, Edward Amoroso lays out the foundation on how to secure this monstrosity called national infrastructure, often referred to as critical infrastructure.
The US has had a critical infrastructure protection program in place since 1996. In 2001, the Patriot Act defined critical infrastructure as those “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters”.
The critical infrastructures and responsible agencies in the US are:
- Agriculture and food – Departments of Agriculture and Health and Human Services
- Water – Environmental Protection Agency
- Public Health – Department of Health and Human Services
- Emergency Services – Department of Homeland Security
- Government – Department of Homeland Security
- Defense Industrial Base – Department of Defense
- Information and Telecommunications – Department of Commerce
- Energy – Department of Energy
- Transportation and Shipping – Department of Transportation
- Banking and Finance – Department of the Treasury
- Chemical Industry and Hazardous Materials – Department of Homeland Security
- Post – Department of Homeland Security
- National Monuments and icons - Department of the Interior
- Critical Manufacturing - Department of Homeland Security
As CSO at AT&T, Amoroso brings significant experience to every chapter in this excellent resource.
In 11 densely-packed but very readable chapters, he provides a comprehensive overview on how to secure the national infrastructure. While the title states national infrastructure; the entire book is completely relevant for any organization that has information assets they need to secure.
The book provides a good mix of both high-level overviews, suitable for management; and highly technical details, suitable for security architects.
Chapter 1 is titled introduction, but by page 7, the author is already detailing the nature of the threats of botnets. The chapter provides a detailed list of the five entities that comprise a botnet attack.
The chapter and the rest of the book also make excellent use of graphics and illustration.
Each chapter also includes review questions, exercises and hands-on projects to review and internalize the topics discussed.
Cyber Attacks: Protecting National Infrastructure is a very readable and engaging book on one of the most important topics the US is currently facing.
While Amoroso lays out the technical issues, he also notes that the only way to remediate them is via a commitment to infrastructure protection; based on a top-down approach from management.
If management is supportive of information security, and understands its significant, the security teams ability to secure the infrastructure will be inordinately easier.
For those looking for a reference that provides both the breadth and depth on the topic, Cyber Attacks: Protecting National Infrastructure is an invaluable resource written by one of the smartest minds in the industry.
Cross-posted from RSA