“Lazy” humans playing into critical-infrastructure hackers’ hands: POTUS security advisor

Howard Schmidt at Evolve 2013.

Critical infrastructure operators remain vulnerable to attack from hackers whose motivations have matured from the “pretty juvenile” wanton vandalism of the 1990s to the aggressive, targeted and financially-motivated cyber war being waged online today, a one-time senior security advisor to the US president has warned.

Noting the popularity of early website defacement and DDoS attacks by hackers, Howard Schmidt – a cyber security coordinator who previously served as special assistant to the president – said what was a “tremendous annoyance” a decade ago had become a significant threat both as hackers grew more sophisticated, and as society’s dependence on critical infrastructure increased.

Protection of that infrastructure, however, had not kept up with technological advancements – leaving a significant security gap that persists despite growing awareness of state-sponsored attacks and threats from ever more-motivated attackers.

“SCADA and industrial control systems were never fashioned to operate in a secure environment,” Schmidt said via videoconference to the Evolve 2013 security conference in Melbourne today.

“There was no need for authentication or encryption because they didn’t have that connective tissue [the Internet] we see today. But now we have a tremendous dependency on this technology – and we’re seeing those shortcomings not only being researched, but almost being commercialised. To this day, there is still a lack of understanding of how the entire system works as one.”

Trend Micro chief technology officer Raimund Genes relayed the experience of a team of researchers who had decided to test just how appealing an Internet-connected industrial system was.

The researchers set up a dummy water pressure control station with a setup that included realistic industrial controllers, then “accidentally” left it connected to the Internet, as happens for real in many real-world industrial installations.

“You’d be surprised how many of these systems are connected to the Internet by accident,” Genes said. “Otherwise you have two management consoles, with an operator getting instructions from a console and retyping the command into the operational system. But people are lazy.”

Within 36 hours, the dummy installation was being pounded by hackers launching “aggressive attacks” from around the world.

Interestingly, Genes said, different countries showed different attack patterns: while the Chinese mainly poked and prodded the systems, he said, American hackers spun up the spinning frequency of the water pumps – and Laotian hackers “wanted to kill the system”.

“Australia was not in the picture,” German-born Genes laughed. “You might be the nicest guys in the world, or the most clever ones.”

Therein lies the rub, Schmidt said: with so many different hackers and motivations in the world, there is no single attack profile to defend against – and no way to predict what might come next. “How much of your security investment do you have in dealing with criminals and nation states, as opposed to repelling clever hobbyists?” he asked. “The people exploiting these things are dedicated people whose sole motivation in many cases is financial gain.”

“Their motivation is selling their services to the highest bidder – and it doesn’t make any difference whether it’s an oppressive regime or a democratic country where they think they can make some money off the defence and intelligence infrastructure.”

Such risks formed the substance of many discussions during Schmidt’s tenure as presidential security advisor, where low-level security issues came head to head with the broader implications of a society that was becoming increasingly dependent on ever more-automated and IP-connected cars, traffic grids, airplanes, pacemakers and more.

“There can be tremendous benefits and uses to all of us as citizens, but without proper engineering, design and implementation they become a vulnerability that will affect all of us,” he said, noting that today’s hackers “are relentless and persistent, and they’re not going away.”

“As we’ve seen every step along the way, when we do a better job securing systems, the hackers will move it to the next level. The persistent threats that are out there are not going to just stop, and the hackers say ‘OK, the security professionals have won and we give up’. They’re going to continue to look to exploit systems, and continue to hit whatever we do.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags TrendmicroEvolve 2013cyber warcyber security

More about CSOEvolveTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place