The road towards effective security begins with pretty logical question. What do we have that hackers are likely to try and steal, take over or manipulate? By understanding the primary motivation of your adversary, you are better prepared to defend against an attack.
When we look at cyber security in this country through the lens of this predictive analysis, the likely targets of a large-scale attack come into focus. While they may seem important to some of us, the focus of a nation-state attack is not likely to be against our collective Facebook pages, Twitter handles or LinkedIn groups, but rather against targets with the ability to create wide-spread confusion and economic loss. In other words, it’s our critical infrastructure that is most at risk of a targeted attack from a sophisticated adversary.
When we refer to critical infrastructure, we are referring to targets such as power plants, water treatment facilities and transportation systems. These are considered high-value targets from both an economic and military standpoint and as such, have instant significance for cyberattacks from nation-states and other well-funded and sophisticated terrorist groups.
The issues involved in securing infrastructure sites are plentiful and vary from location to location, but let’s focus on a few key areas that make these facilities vulnerable. First, they are under constant attack, continuously being probed for defensive weaknesses and access points. To complicate matters, the attacks are often so well disguised that some facilities don’t even recognize when they have been probed or if a weakness has been identified for future exploitation.
Secondly, the attacks targeted towards critical infrastructure are not run-of-the-mill viruses or Trojans sent out across the Internet to blindly infect as many systems as possible. They are sophisticated attacks engineered for a single purpose by some of the brightest minds in information security. In many cases, these are state-funded and the teams who create them have a nearly endless supply of resources at their disposal. Many countries, China chief among them, have invested heavily in cyber weaponry in recent years, with information gathering and the ability to take down high-value targets at the top of their priority lists. The headlines of Stuxnet or Flame are just some of the more recent examples of the type of attacks nation-states can create.
Lastly, and perhaps most worrisome, is the inability of these facilities to identify not only where they are vulnerable to attack, but to fully understand where and how their networks are connected to the Internet. While this may seem almost inconceivable from the outside perspective, you must remember that most of these facilities operate as insular operations cutoff from systems outside of their physical site. What we, as the security industry, have pointed out over the past several years is that today’s modern control systems, designed to provide oversight and increased safety, actually operate via the Internet and were opening up connections that can be exploited by hackers.
So, how imminent is a major cyberattack on U.S. infrastructure? High-ranking government officials, including former Defense Secretary Leon Panetta, have estimated that we will see a significant attack within the next 12 – 18 months. Leaders at several law enforcement agencies within the government have openly discussed instances where online intruders have gained access to control systems for chemical, water and electrical plants, as well as control software for public transportation systems.
While the idea that entire regions could be left without critical services such as water or power sounds like the script from a movie or the inspiration for a hit TV drama, it is not only possible, but likely if we don’t take the necessary steps to protect our critical infrastructure from outside attack.
To its credit, the government recognizes this as a serious threat and allocates not only the budget necessary, but the top cyber minds available at it disposal, to help address it. However, there is more that can and should be done in order to maximize our cyber defenses.
I suggest better coordination between the government and private sectors. While the government certainly has more resources at its disposal in terms of budget dollars and sophisticated technology, innovation is most often the purview of private industry. Together, this combination can be powerful allies in thwarting attacks from nation states bent on taking down critical facilities.
Another area of focus is better oversight and consolidation of authority when it comes to cyber security for critical infrastructure. Recently, the chairman of the United States Federal Energy Regulatory Commission (FERC), Jon Wellinghoff, opined that there is a lack of authority for an agency to act upon cyber threats. According to Wellinghoff, “nobody has adequate authority with respect to electric and the gas infrastructure in this country regarding known vulnerabilities. If I had a cyber-threat that was revealed to me tomorrow, there is little I could do the next day to ensure that the threat was mitigated effectively by the targeted site.”
This to me, given what is at stake, is unacceptable. There needs to be a system in place for sharing threats and key indicators of attacks across all facilities and a mechanism for these sites to report back on how threats were identified and mitigated.
Critical infrastructure has become one of the most important arenas in the battle for cybersecurity and underscores perhaps the most important point of all. If you are connected to the Internet, you are vulnerable to a cyberattack.
Related Reading: Putting SCADA Protection on the Radar