The two U.S. airports that had their computers compromised by an unknown group of hackers is a wake up call that America's best IT talent needs to focus less on money and more on national security, an expert says.
The Center of Internet Security (CIS), a government-endorsed nonprofit that helps states with cybersecurity, said in its recently released report that it was notified in the summer of 2013 of advanced persistent attacks (APTs) against four U.S. airports.
The CIS later learned that the same attackers were targeting eight other airports.
Because there's no financial gain from going after airports, "the logical point of these attacks is to be able to support taking down or controlling critical systems in time of war or conflict," Murray Jennex, a San Diego State University professor and former systems engineer at the San Onofre nuclear power plant in California, said.
The reason hackers can break into systems in critical infrastructure like airports is because of the use of Internet technology in critical systems, a trend that has been continuing for more than 15 years.
By connecting Internet-enabled business computers to control systems, the Internet has made management of the latter easier and less expensive. At the same time, it has introduced the threat of a cyberattack, which didn't exist when critical equipment were kept in a silo.
"Our best minds have focused on how to use the Internet to make things cheaper, to use data better, to make more money," Murray said. "We need to catch up with the security of these blended systems and require simpler security design approaches."
The CIS found that a total of 75 U.S. airports "were impacted" in some way by the APT attack. The group did not release details.
"Two airports had systems that were compromised," the report said. "CIS provided assistance and all compromised systems were remediated."
The compromise started with a phishing attack in which email containing a malicious link was sent to people working in the aviation industry. The CIS said the attackers used a "public document" in selecting their victims, but did not identify the document.
The fact that the attackers were able to trick people into downloading malware that led to the compromise is "surprising, but not unexpected," Murray said. "Simple attacks work."
To help defend against such attacks, people need to be educated on the signs that an email may be malicious, he said. People too often are lulled into thinking that technology can provide all the needed security.
"I worry that it will take a very major and severe security event for everyone to get the message that technology will not protect them," Murray said.
The CIS notified the U.S. Department of Homeland Security and the Federal Aviation Administration.