Companies, government unprepared for new wave of cybersabotage

A new wave of cyberattacks reportedly aimed at industrial control systems comes at a time when private companies and government are still struggling to protect the nation's critical infrastructure, experts say.

The New York Times reported on Sunday that the attacks were aimed mostly at U.S. energy companies. Rather than looking forintellectual property or sensitive information, the hackers were using probes to look for ways to seize control of processing plants.

While government officials did not know if the attacks were state-sponsored, the origin appeared to be somewhere in the Middle East.

The fact that senior government officials who spoke to The Times were unable to pinpoint the source ofthe attacks indicates a lapse in the work of the intelligence community, said Stewart Baker, a partner at the law firm Steptoe & Johnson and a former assistant secretary for policy at the Department of Homeland Security (DHS).

"The most disappointing aspect of the story so far is the inability of the intelligence community to attribute the probes," Baker said. "That's embarrassing."

"The intelligence community has faced cyber intrusions for 20 years, yet it has been unable or unwilling to provide much useful attribution information," he said.

The intelligence community is not the only part of government that has struggled in helping the nation defend against cyberattacks. Congress remains at odds over the privacyimplications of legislation that would require companies to share data with government agencies.

President Barack Obama issued this year an executive order requiring government agencies to share cyberattack information, but the reverse will require action by Congress.

Government regulation by itself is not a panacea. Joe Weiss, an industrial security consultant and managing partner of Applied Control Solutions, said electric utilities often refuse to be a test bed for cybersecurity technologies because of the "onerous audit requirements." The mandates are contained within the Critical Infrastructure Protection rules established by the North American Electric Reliability Corp.

Weiss has been able to find only one electric utility willing to be a test bed. That company is too small to fall under NERC CIP."I shouldn't be in a position to say 'only,'"Weiss said. "There should be a few or one of (many), but not only."

[Also see: Labor Department hackers more sophisticated than most]

Attackers bent on sabotage is not new. Many experts believe the pace of cyber sabotage efforts increased after the U.S. and Israel damaged Iranian nuclear facilities several years ago with the Stuxnet worm.

Iran is believed to have retaliated last year with the attack on Aramco, Saudi Arabia's national oil company and one of the world's largest producers. The intruders wiped data from office computers, but failed to reach production systems, which were the main target.

Private companies running much of the nation's critical infrastructure from oil production and the electric grid to manufacturing facilities and water treatment plants know of the potential damage from cyberattacks. However, the reason warnings keep coming from government officials is because not enough is being done in the way of defense.

"There's nothing necessarily new," Weiss said."The issue more than anything is people still aren't doing an adequate job of protecting themselves."

The Aramco attack failed because the company had one network for its administrative offices and a separate one for its production facilities. While this is considered a best practice, the deployment and maintenance costs are much too high for most companies. Therefore, the alternative is tight access controls.

"Not just firewalls, but controlling the systems that canmake these changes and doing that from one point," said Ron Gula, chief executive of Tenable Network Security who worked for the National Security Agency (NSA).

For some companies, a cultural change may be necessary to shore up defenses. Rather than have facility workers and security professionals working separately, the two should collaborate on locking down industrial systems.

"These are cultural challenges where IT and engineering have historically always been separated," said Rick Holland, an analyst with Forrester Research. "This must change, and although many organizations are aware of this, the pace of change is glacial."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags The New York Timesapplicationscritical infrastructuresoftwaredata protectioncybercrimecyberattacksnew york timesindustrial control systemsData Protection | Malwaresecurityphysical securitylegal

More about Forrester ResearchNational Security AgencyNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts