Threat of cyber attack on critical infrastructure is real, present danger
Decision-makers must realize that tightening security on industrial control systems is money well spent
By Phil Neray, Special to ThirdCertainty
During his keynote address at RSA 2002—and long before Anthem, Target and Sony Pictures attacks—former White House official Richard Clarke famously said, “If you spend more on coffee than on IT security, then you will be hacked. What’s more, you deserve to be hacked.”
Fast forward to the recent S4x17 ICS cybersecurity conference. Clarke described how security professionals at organizations using industrial control systems (ICS) could argue persuasively for bigger budgets to mitigate modern ICS hacking scenarios.
Related article: Cyber warfare challenges face U.S. president
Despite this guidance coming from a former top counter-terrorism adviser who later served as the first White House cybersecurity czar, many management teams are still skeptical when it comes to the risk of ICS cyber attacks.
Sure, they’ve all heard about Stuxnet and the German steel mill attack. And they’ve probably heard that critical U.S. infrastructure was compromised by overseas attackers in 2014 using a variant of the BlackEnergy malware, according to ICS-CERT.
But many decision-makers are still reluctant to spend more on tighter security controls to reduce the risk of attacks on ICS.
Clarke listed numerous examples of major disasters that clearly were predicted by experts but ignored by decision-makers. These include the subprime mortgage crisis of 2008, the Fukushima nuclear meltdown, the Madoff investment scandal, and several mining disasters.
In each case, no one acted upon the expert advice. According to Clarke, past predictions were ignored because:
• Decision-makers could always say afterward that “it never happened before”
• The magnitude of the problem was simply too big for decision-makers to get their heads around
Clarke points out that ICS cybersecurity is similar to these disasters because the cost of dealing with the disaster is disproportionately higher than the cost of mitigating it beforehand.
So the next time you hear “we’re not going to spend more on ICS cybersecurity because it’s never happened before,” rattle off these examples below to show how dramatically the world of cyber has changed in the past 12 months:
• Ukrainian power grid attacks. Before December 2014, no one had ever used a targeted cyber attack to turn off electric power in the middle of a cold winter. And it happened again in December 2016, according to Ukrenergo, the electric utility for the Ukrainian capital of Kiev.
• Attack on SWIFT global banking system. Clarke described how, in the run-up to the Iraq invasion, U.S. generals proposed hacking Saddam Hussein’s bank and stealing all his money. But President Bush was persuaded not to hack the bank because of the perceived damage it would bring to the world’s trust in our international banking system. And yet, in 2015 and 2016, the SWIFT banking system was hacked three times (by North Korea), making it the first known incident of a state actor using cyber attacks to steal funds.
• NSA’s top-secret cyber weapons posted on the internet. NSA Cyber Command is considered the best in the world. Yet in August 2016, the agency’s top cyber tools and techniques were posted on the internet, giving any script kiddie unfettered access to the world’s most sophisticated cyber weapons. Released by the Shadow Brokers was a huge cache of specialized malware, including dozens of backdoor programs and 10 zero-day exploits, two of them targeting vulnerabilities in widely used Cisco routers.
And on Jan. 16, 2017, the mysterious group released 61 malicious Windows executables, only one of which was previously known to anti-virus vendors.
• Data breach impacts a big merger. No one ever conducted cyber due-diligence in advance of major M&A transactions in the past. Nobody thought it was important. But the breach of more than a billion Yahoo accounts in 2013 has put Verizon’s $4.8 billion acquisition on hold—perhaps permanently.
• Zombie botnet army brings down the internet. On Oct. 21, 2016, America’s internet was brought down by 450,000 Internet of Things devices that had been assembled into a massive botnet army. The unprecedented DDoS attack prevented users from accessing Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit, PayPal and other sites. The attack targeted DYN’s managed DNS service, a major element of our critical infrastructure.
• No one would ever attack a hospital. Under the Geneva Conventions, hospitals are protected from attacks. Yet in 2016, ransomware stopped many hospitals from being able to care for their sick. That’s because modern hospitals simply can’t function without the computer systems needed for lab work, pharmaceutical orders, and even the emergency room.
• Cyber attacks interfere with U.S. presidential election. Whatever your views on who did it and why, the theft and leak of 19,000 embarrassing emails and sensitive election strategy documents from the Democratic National Committee was the first time a targeted cyber attack was used in an attempt to influence the outcome of a U.S. presidential election.
More stories related to infrastructure vulnerabilities:
Popular websites knocked down by IoT-enabled DDoS attack
Hospitals show little resistance to ransomware virus
Network outages point to critical technical vulnerabilities