Are we ready for an attack upon our national critical infrastructures?
Malaysia’s international airport, had an unprecedented “blackout” last month, lasting 3 to 4 days.
Something called the Total Airport Management System (TAMS) used by the airport operator, MAHB, Malaysian Airports Holdings Berhad, was broken. Speculation was rife as to where and what exactly the problem was.
Two days after the system came back online, and some semblance of order returned to the chaos, a commission was set up, and even the National Cyber Security Agency (NACSA) is among the line-up. This is to be expected because the security of a critical national infrastructure is at stake.
Headed by the Ministry of Transportation, this commission is given one month to investigate and report their findings.
In the meantime, some news emerge that all the hoo haa was caused by faulty, maybe even outdated network equipment, and a few vendor names were thrown about.
MAHB isn’t ruling out malicious intent and 12 IT officers have even been brought in for questioning by the police.
So, currently MAHB’s top management and IT staff are busy pointing fingers at each other, but the matter I want to bring to light is this:
As early as 24th August, NACSA had come out to say there had been no evidence of a cyberattack. Network service disruption was detected on 21st August.
What If it were a cyberattack? Are we ready to respond?
We turn to Directive 24
I’m not saying what happened at KLIA is a cyber attack. I don’t know what happened there (a very detailed account can be found here).
But is our critical national infrastructure ready to handle one? Are we ourselves ready to face one?
Directive 24, according to NACSA website is an “executive directive that outlines the strategy that Malaysia will undertake for cyber crisis mitigation and response among Malaysia’s critical national information infrastructure (CNII) through public and private collaboration.”
It is believed the document was created in 2011.
A source familiar with the document further described it as, “interesting because legally there is no standing for that document.
“It is not law, it is not regulation and it is enforced through the sector leads aka regulators.”
The document was even shown to me with the enlightening note, “This is not enforceable.”
There may be other documents that spawned from this directive, that outlines in more detail the persons or committees that are responsible to lead implementation of the executive directive, but who are they?
What are the steps to respond and mitigate? Does MAHB have a business continuity plan ie. ISO22301, which includes among other things, a communications plan to keep the public and the press informed?
If the KLIA blackout was caused by a cyber attack, what authority does that directive grant, and to whom does it grant the authority to?
IT BYTES BACK! says: A well-intentioned direction will remain as just that, an intention, until further details are given to implement it, put it into play, and enforce it. Why is Directive 24 kept under wraps, instead?