Dire warnings don't yield better critical infrastructure security

The warnings of possible catastrophic cyberattacks on critical infrastructure in the U.S. have been issued for more than a decade. They were frequent and insistent in 2012, from high-ranking government officials and others.

Outgoing U.S. Secretary of Defense Leon Panetta warned in a speech in New York last October that cyberattacks by a hostile nation-state on critical infrastructure like transportation, water supply or the electric grid could amount to a "cyber Pearl Harbor." He also said the U.S. was at "a pre-9/11 moment."

It wasn't just patriotic American officials either. A video obtained by the FBI in 2011, purportedly from al Qaeda, exhorted al Qaeda followers - the "covert Mujahidin" - who have the skill to commit "electronic jihad" -- to launch cyberattacks on U.S. and other Western targets.

But the Department of Homeland Security (DHS) says that despite those warnings, the peril remains -- thousands of domestic industrial control systems (ICS) remain vulnerable.

Some security experts have said that Panetta and others are going overboard with comparisons to acts of war or terror that leave thousands dead. Bruce Schneier, an author and chief security technology officer at BT, has said more than once that, "throughout history, the definition of a 'major war' has involved casualties in the hundreds of thousands. That means dead people."

[See also: Best defense against cyberattacks is good offense, says former DHS official]

However, Schneier and others agree that there are real risks. And the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which operates within DHS, said operators of ICS many times don't even know if their systems are infected, don't have effective security barriers in place and don't have backups for critical systems.

The agency's Monthly Monitor, covering October-December 2012, also reported that two researchers, "using only their wits, an extensive list of control systems related search terms, a paper clip, and the Internet-facing device search engine SHODAN," compiled a list of about 500,000 devices with predicted control systems impact.

Bob Radvanovsky and Jake Brodsky of InfraCritical began what they called Project SHINE (SHodan INtelligence Extraction) last April, and presented their findings in October at the ICS Cyber Security Conference in Norfolk, Virginia.

ICS-CERT said it was able to prune that list down to about 98,000 IP addresses in the U.S., and cut it further to about 7,200 across the nation that it said were directly connected to critical control devices.

But the significance of the project was clear: Using freely available tools, the researchers exposed a significant attack surface -- an average of 144 entry points per state -- reachable from the public Internet.

The report also profiled a couple of unnamed utility operators that were not following even the most basic security protocols. In one case, an employee at a power generation facility had infected several workstations, two of the critical to the operation, with malware from a USB drive.

"Detailed analysis was conducted as these workstations had no backups, and an ineffective or failed cleanup would have significantly impaired their operations," the report said. "The organization also ... had no backups for the two engineering workstations. Those workstations were vital to the facility operation and, if lost, damaged, or inoperable, could have a significant operational impact."

A USB drive was also the problem in the second case, involving a power company's turbine control system. "Unknown to the technician, the USB-drive was infected with crimeware. The infection resulted in downtime for the impacted systems and delayed the plant restart by approximately 3 weeks," the report said.

Scott Greaux, vice president, product management and services at PhishMe, said those anecdotes are evidence that some continue to think they're not at risk, giving way to easier compromises. "This mentality is creating even more vulnerability," he said. "Companies can't remain complacent about their controls or training."

ICS-CERT, included a list of recommended best practices in its report that amount to what most security experts call "Security 101," designed to "maintain a minimal Internet-facing footprint."

They include: Don't let control system devices directly face the Internet; put firewalls in front of control system networks and devices, and isolate them from the business network; use Virtual Private Networks (VPNs) for remote access; remove, disable, or rename any default system accounts wherever possible; require strong passwords; monitor the creation of administrator level accounts by third-party vendors and; make sure the most recent security updates are installed.

Greaux said if devices do need to face the Internet, additional controls on their network to identify suspicious behavior is key. "Tracking is also key... lots of organization don't track and revalue," he said. "There also needs to be periodic revaluation."

"Criminals are constantly updating their attack methods, so companies and government agencies must do the same," he said.

Read more about critical infrastructure in CSOonline's Critical Infrastructure section.

Join the CSO newsletter!

Error: Please check your email address.

Tags DHSsecurityphysical securityU.S. Department of Homeland Securitycritical infrastructurePhysical Security | Critical Infrastructurefbi

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts