Security Experts:

Cyber Threats vs. Infrastructure: What's the Score?

Nuclear Energy Facility

Attacks Against Critical Infrastruture Are Rising - Can Our Defense Respond to the Challenge?

Over the past several years there has been increasing coverage of the danger that cyber threats and attacks pose to our infrastructure and ultimately, national security. The prevailing thought being amongst the security community that it was never a matter of “if” but a matter of “when” the United States or its allies would suffer a significant attack. Based on the news out of Israel that a major commuter artery had been subjected to an attack, this seemed like an appropriate time to revisit where we stand in our ongoing battle to protect critical infrastructure.

In this particular situation in Israel, hackers were able to shut down a tunnel system that resulted in major traffic jams. According to the AP, the attack against the Carmel Tunnels on September 8th actually came in two waves. Hackers targeted the Tunnels' camera system, putting the roadway into an immediate lockdown mode and shutting it down for twenty minutes. The next day the attackers managed to break in for even longer during the heavy morning rush hour, shutting the entire system for eight hours.

According to reports, investigators believe the attack was the work of unknown, sophisticated hackers, similar to the Anonymous hacking group that led attacks on Israeli websites in April. Investigators determined it was not sophisticated enough to be the work of an enemy government like Iran. In my opinion, one of the scarier aspects of this story is that this was the work of an independent group and not a nation state. While there has been a feeling of inevitability for years that attacks on infrastructure would become a reality, prevailing wisdom always pointed towards the attacks emanating from governments with sophisticated, well-financed attacks. The idea that independent hackers, perhaps motivated simply by the challenge of it, could find their way into a complex transportation system run by one of the more technologically-versed countries in the world is a scary proposition.

While we haven’t yet suffered what could be considered a major infrastructure attack, the reality is that the number of attacks is on the rise. The number of attacks reported to a U.S. Department of Homeland Security cybersecurity response team grew by 52 percent in 2012, according to a report issued early this year. There were 198 attacks brought to the agency's attention last year, several of which resulted in successful break-ins. An earlier report from DHS provided additional details on some of those successes. An unidentified group of hackers targeting natural gas pipeline companies gained access to the corporate systems of several of their targets and "exfiltrated" -- that's security-speak for "stole" -- data on how their control systems work. The information obtained "could facilitate remote unauthorized operations," according to DHS. However, there's no evidence the hackers have actually broken into the control systems themselves, the agency added. The energy sector was the most-targeted field, with 82 attacks, and the water industry reported 29 attacks last year. Chemical plants faced seven cyber-attacks, and nuclear companies reported six. Hackers hit the bulls-eye on "several" of their nuclear targets: "These organizations reported that their enterprise networks were compromised and in some cases, exfiltration of data occurred," the DHS team wrote. It said that it is not aware of any successful breaches of nuclear control networks.

So have attacks not yet advanced to the point of penetrating the defenses of our country’s most critical systems, were our defenses were able to repel the attacks, or was it just blind luck that we haven’t yet experienced a major attack to date? Probably a bit of all three, but we can’t count on that dynamic holding true forever.  Infrastructure protection from cyber threats has become one of our country’s biggest priorities and while we are making strides, we still have a long way to travel.

In researching this piece a came across and absolute must-read for anyone interested in security as it relates to infrastructure. It was authored by Josephine Wolff, a PhD candidate in the Engineering Systems Division at Massachusetts Institute of Technology studying cybersecurity and Internet policy. The article, which originally ran in Scientific American, outlines some of the critical training and exercises that are taking place in our battle for security in this critical segment. The author explains how projects such as Cobalt, the student cyber-attack challenge held last June at American University in Washington, is preparing both security experts and the government to deal with these threats. This example highlights how the Cobalt malware was able to take 13 U.S. oil refineries offline.

While the entire article is captivating, this paragraph should serve notice to anyone who thinks the threat to infrastructure is being overhyped:

The Cobalt malware—an invention of the Atlantic Council, which hosted the event—was fake, but its target was a real-life vulnerability: the U.S. energy infrastructure, specifically the oil refineries and pipelines that produce and transport gasoline and other refined fuel products all across the country. Almost any discussion or description of a doomsday cyber scenario involves an attack on U.S. critical infrastructure. You can see this play out in the Cyber Storm exercises hosted every few years by the Department of Homeland Security for government and industry organizations to practice cyber threat responses. In three simulations that took place in 2006, 2008 and 2010, catastrophic cyber-attacks caused clear and serious physical damage. A computer virus that turns off the lights, shuts down the telephone system and halts military operations could cost lives.

So back to my original premise, in the battle of Cyber vs. Infrastructure whose winning? Right now I’d declare it a tie, but the opposition has the ball and is driving. The question now becomes, can our defense respond to the challenge?

Subscribe to the SecurityWeek Email Briefing
view counter
Mark Hatton is president and CEO of CORE Security. Prior to joining CORE, Hatton was president of North American operations for Sophos. He has held senior roles with companies ranging from venture capital-backed, early-stage software vendors to a Fortune 500 information technology services and distribution organization. Hatton holds an MBA from Boston University, Massachusetts and a BA Communication from Westfield State College, Massachusetts.