Threat of cyber attack on critical infrastructure is real, present danger

Decision-makers must realize that tightening security on industrial control systems is money well spent

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Dur­ing his keynote address at RSA 2002—and long before Anthem, Tar­get and Sony Pic­tures attacks—former White House offi­cial Richard Clarke famous­ly said, “If you spend more on cof­fee than on IT secu­ri­ty, then you will be hacked. What’s more, you deserve to be hacked.”

Fast for­ward to the recent S4x17 ICS cyber­se­cu­ri­ty con­fer­ence. Clarke described how secu­ri­ty pro­fes­sion­als at orga­ni­za­tions using indus­tri­al con­trol sys­tems (ICS) could argue per­sua­sive­ly for big­ger bud­gets to mit­i­gate mod­ern ICS hack­ing scenarios.

Relat­ed arti­cle: Cyber war­fare chal­lenges face U.S. president

ed-note_cyberx-labs_phil-neray_400Despite this guid­ance com­ing from a for­mer top counter-ter­ror­ism advis­er who lat­er served as the first White House cyber­se­cu­ri­ty czar, many man­age­ment teams are still skep­ti­cal when it comes to the risk of ICS cyber attacks.

Sure, they’ve all heard about Stuxnet and the Ger­man steel mill attack. And they’ve prob­a­bly heard that crit­i­cal U.S. infra­struc­ture was com­pro­mised by over­seas attack­ers in 2014 using a vari­ant of the Black­En­er­gy mal­ware, accord­ing to ICS-CERT.

But many deci­sion-mak­ers are still reluc­tant to spend more on tighter secu­ri­ty con­trols to reduce the risk of attacks on ICS.

Clarke list­ed numer­ous exam­ples of major dis­as­ters that clear­ly were pre­dict­ed by experts but ignored by deci­sion-mak­ers. These include the sub­prime mort­gage cri­sis of 2008, the Fukushi­ma nuclear melt­down, the Mad­off invest­ment scan­dal, and sev­er­al min­ing disasters.

In each case, no one act­ed upon the expert advice. Accord­ing to Clarke, past pre­dic­tions were ignored because:

• Deci­sion-mak­ers could always say after­ward that “it nev­er hap­pened before”

• The mag­ni­tude of the prob­lem was sim­ply too big for deci­sion-mak­ers to get their heads around

Clarke points out that ICS cyber­se­cu­ri­ty is sim­i­lar to these dis­as­ters because the cost of deal­ing with the dis­as­ter is dis­pro­por­tion­ate­ly high­er than the cost of mit­i­gat­ing it beforehand.

So the next time you hear “we’re not going to spend more on ICS cyber­se­cu­ri­ty because it’s nev­er hap­pened before,” rat­tle off these exam­ples below to show how dra­mat­i­cal­ly the world of cyber has changed in the past 12 months:

• Ukrain­ian pow­er grid attacks. Before Decem­ber 2014, no one had ever used a tar­get­ed cyber attack to turn off elec­tric pow­er in the mid­dle of a cold win­ter. And it hap­pened again in Decem­ber 2016, accord­ing to Ukren­er­go, the elec­tric util­i­ty for the Ukrain­ian cap­i­tal of Kiev.

• Attack on SWIFT glob­al bank­ing sys­tem. Clarke described how, in the run-up to the Iraq inva­sion, U.S. gen­er­als pro­posed hack­ing Sad­dam Hussein’s bank and steal­ing all his mon­ey. But Pres­i­dent Bush was per­suad­ed not to hack the bank because of the per­ceived dam­age it would bring to the world’s trust in our inter­na­tion­al bank­ing sys­tem. And yet, in 2015 and 2016, the SWIFT bank­ing sys­tem was hacked three times (by North Korea), mak­ing it the first known inci­dent of a state actor using cyber attacks to steal funds.

NSA’s top-secret cyber weapons post­ed on the inter­net. NSA Cyber Com­mand is con­sid­ered the best in the world. Yet in August 2016, the agency’s top cyber tools and tech­niques were post­ed on the inter­net, giv­ing any script kid­die unfet­tered access to the world’s most sophis­ti­cat­ed cyber weapons. Released by the Shad­ow Bro­kers was a huge cache of spe­cial­ized mal­ware, includ­ing dozens of back­door pro­grams and 10 zero-day exploits, two of them tar­get­ing vul­ner­a­bil­i­ties in wide­ly used Cis­co routers.

And on Jan. 16, 2017, the mys­te­ri­ous group released 61 mali­cious Win­dows exe­cuta­bles, only one of which was pre­vi­ous­ly known to anti-virus vendors.

• Data breach impacts a big merg­er. No one ever con­duct­ed cyber due-dili­gence in advance of major M&A trans­ac­tions in the past. Nobody thought it was impor­tant. But the breach of more than a bil­lion Yahoo accounts in 2013 has put Verizon’s $4.8 bil­lion acqui­si­tion on hold—perhaps permanently.

• Zom­bie bot­net army brings down the inter­net. On Oct. 21, 2016, America’s inter­net was brought down by 450,000 Inter­net of Things devices that had been assem­bled into a mas­sive bot­net army. The unprece­dent­ed DDoS attack pre­vent­ed users from access­ing Twit­ter, Spo­ti­fy, Net­flix, Ama­zon, Tum­blr, Red­dit, Pay­Pal and oth­er sites. The attack tar­get­ed DYN’s man­aged DNS ser­vice, a major ele­ment of our crit­i­cal infrastructure.

• No one would ever attack a hos­pi­tal. Under the Gene­va Con­ven­tions, hos­pi­tals are pro­tect­ed from attacks. Yet in 2016, ran­somware stopped many hos­pi­tals from being able to care for their sick. That’s because mod­ern hos­pi­tals sim­ply can’t func­tion with­out the com­put­er sys­tems need­ed for lab work, phar­ma­ceu­ti­cal orders, and even the emer­gency room.

• Cyber attacks inter­fere with U.S. pres­i­den­tial elec­tion. What­ev­er your views on who did it and why, the theft and leak of 19,000 embar­rass­ing emails and sen­si­tive elec­tion strat­e­gy doc­u­ments from the Demo­c­ra­t­ic Nation­al Com­mit­tee was the first time a tar­get­ed cyber attack was used in an attempt to influ­ence the out­come of a U.S. pres­i­den­tial election.

More sto­ries relat­ed to infra­struc­ture vulnerabilities:
Pop­u­lar web­sites knocked down by IoT-enabled DDoS attack
Hos­pi­tals show lit­tle resis­tance to ran­somware virus
Net­work out­ages point to crit­i­cal tech­ni­cal vulnerabilities