This page contains a Flash digital edition of a book.
@InfosecurityMag


SPOTLIGHT: COVER FEATURE R


eports surfaced last year of hackers who had shut down a US water supply system in what appeared to


be the fi rst successful cyberattack against US critical infrastructure (CI). The target was a water supply control system in Springfi eld, Ill., the hometown of Abraham Lincoln, no less, and the alleged culprits were Russian agents who had successfully gained access to the facility’s industrial control system and destroyed a key water pump. This appeared to be a test run for a broader attack against the US water supply system, which provides clean drinking water essential to the lives of all Americans. Media outlets had uncovered the story buried in a government document examining the reasons behind the failure of the water pump. Cybersecurity experts fell over themselves to be the fi rst to predict the coming war against US critical infrastructure.


But it was all a big mistake. It turned out the water pump had just worn out from old age. Evidence of a Russian-based cyberattack turned out to be a US contractor vacationing in Russia who used his cellphone to do some remote troubleshooting on the Springfi eld-based water system. So are the risks to critical infrastructure from hackers, terrorists, and state actors overblown, fueled by a media frenzy? Not according to a number of experts consulted by Infosecurity.


Fixing a Hole


The US government is “borderline failing” in its efforts to protect crucial infrastructure, such as the water supply system, power grid, oil and gas pipelines, and communication systems, opines Harry Sverdlove, chief technology offi cer at Bit9, a Massachusetts- based endpoint security provider. Since January 2011, there have been over 50 attempted or successful intrusions against US critical infrastructure, Sverdlove notes. “There is no agreement [in the US government] as to who should be overseeing critical infrastructure protection and who should be enforcing standards against that”, he laments.


Sverdlove says there is a danger that terrorist groups or state-sponsored actors could use the code from Stuxnet – which disrupted industrial control systems running Iranian nuclear processing facilities in 2010 – to attack Western targets.


“There are now at least four variants [of Stuxnet] that have been reported in the wild,


When I look at the issue of mass disruption that could lead to loss of life, clearly at the top of that target list is the power grid


Stephen Flynn Research Institute for Homeland Security


Duqu being one of them….So it is possible that a terrorist organization or rogue state could get hold of a variant and launch an offensive” against critical infrastructure in the US or Europe, he cautions. Robin Wood, a senior security engineer with England-based vulnerability management fi rm RandomStorm, is also concerned about the risk posed by terrorists and state-sponsored groups to critical infrastructure. “Cyber terrorists will be constantly scanning CI to fi nd vulnerabilities that they can exploit. Some will be going after specifi c targets while some will just be looking for low-hanging fruit offering soft targets that can be used for quick wins”, Wood says.


“I believe that if state-sponsored groups are not probing CI from both friendly and unfriendly nations, then they are not doing due diligence, as other countries are bound to be scanning them”, he adds.


One of the targets for terrorists and state- sponsored actors is likely to be the power


grid, judges Stephen Flynn, co-director of the George J. Kostas Research Institute for Homeland Security at Boston-based Northeastern University.


“When I look at the issue of mass disruption that could lead to loss of life, clearly at the top of that target list is the power grid...Not only do you take out the power, but you get all of the cascading consequences – particularly if the grid is substantially damaged – on all the other sectors that rely on power”, Flynn observes.


Donald “Andy” Purdy, chief cyber strategist at Virginia-based technology fi rm CSC, agrees that the power grid is a tempting target for terrorists. A cyberattack on an electricity facility, particularly a “blended attack” that involved both a cyber and physical component, could cause cascading effects throughout the power grid, similar to the effects of the August 2003 blackout of the Northeastern US and parts of Canada, Purdy notes. That blackout, the largest in US history, resulted in the loss of power to around 55 million people in the Northeastern US and Canada, for up to 16 hours. It was caused not by a terrorist attack, but by a power surge that sparked cascading outages in eight US states and a Canadian province. It led to the shutdown of major cities – including New York, Toronto, Baltimore, and Detroit – the disruption of communication, transportation, and water supply systems, and cost the US and Canadian economies up to $8bn. Yet, despite the blackout and considerable soul-searching by the electricity industry afterward, the power grid continues to suffer from aging equipment and poor security. “There are a lot of legacy systems in the power grid and low margins, hence there is resistance on the part of utilities to spend money to increase cyber defenses. At the same time, there is a desire to save money and increase convenience by increasing the connectivity of the systems. So it is an obvious area where there are vulnerabilities”, Purdy observes.


www.infosecurity-magazine.com /// 15


?


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52