UPDATED 22:09 EDT / MARCH 07 2019

SECURITY

In harm’s way: Attacks on critical systems alarm the security world

One by one, power to homes, businesses, hospitals and transportation systems were shut down. It was Dec. 23, 2015, in the Ukraine and the nation’s electrical grid had been hacked. In the dead of winter.

What events in the Ukraine revealed was that the world’s critical infrastructure was highly vulnerable to attack, both from outside by malicious actors and from inside through corruption of the supply chain. It’s perhaps the most serious threat confronting the cybersecurity community today.

Yet though there’s mounting evidence that airports, hospitals and energy plants are at serious risk, a lack of public and private coordination to protect them is glaring.

As Sandra Joyce, senior vice president of global intelligence at FireEye Inc., noted following a discussion of future vulnerabilities during a presentation at the RSA Conference in San Francisco on Wednesday, “I think people are going to get hurt.”

That sobering assessment neatly summed up growing concern among cybersecurity researchers that the threat to critical infrastructure is real and the attacks so far have been highly organized, well-financed and effective.

“We’re not paying nearly as much attention to it as we should,” Howard Marshall, director of intelligence operations for iDefense/Accenture Security and former deputy assistant director in the FBI’s Cyber Division,  said during an exclusive interview with SiliconANGLE. “Could someone open a hydroelectric dam? Could they get into a nuclear facility and just wait? That’s our biggest fear.”

Airport access for sale

The Accenture executive’s fears are well-founded. Last year, researchers at McAfee LLC came across access credentials for systems at a major international airport on the dark web, the shady part of the internet where porn, data and other illicit products get bought and sold. The cost of the credentials: only 10 bucks.

FireEye's Sandra Joyce (Photo: RSA Conference/livestream)

FireEye’s Sandra Joyce (Photo: RSA Conference/livestream)

Malware experts from the cybersecurity firm ESET have discovered evidence linking the perpetrators of the Ukraine power grid hack to a group that went on to unleash the devastating NotPetya virus on the world in 2017.

And a gathering security storm being closely monitored involves Triton, recently billed by MIT researchers as the world’s “most murderous malware.” The malicious code disables safety systems dedicated to preventing industrial accidents. Triton was successfully deployed at a petrochemical plant in Saudi Arabia two years ago and in October, FireEye published research showing that a Russian government-backed institute was involved in the attack.

“When an attack happens, you don’t get to push the red button,” Liz Centoni, senior vice president and general manager of IoT at Cisco Systems Inc., said during her keynote address at RSA on Tuesday concerning industrial security. “You don’t get to stop the line.”

Supply chain threats

While attacks from the outside on critical infrastructure are serious enough, they pale in comparison with potential vulnerability within the supply chain. Airports, hospitals and power plants depend heavily on a network of suppliers and third-party contractors every day and the threat from inside the gates can often be more dangerous.

Officials in the U.S. electric sector are taking some steps to address the issue of supply chain risk management. The North American Electric Reliability Corporation, known as NERC, issued a mandate in 2018 requiring the nation’s utilities to take several key protective steps. It is slated to take effect later this year.

The mandate included assessment of vendor products and services and the development of a security risk management plan. However, there are still gaps in the NERC directive as it involves basic security practices. During an RSA Conference panel discussion on Wednesday, one electric utility expert pointed out there’s still no requirement that utility equipment suppliers ship products with random passwords instead of “admin” or the name of the company manufacturer, a common practice today, according to the panelists.

“There is a massive gap in terms of who should have some sort of authority in the device manufacturing process as it relates to critical infrastructure,” said Marcus Sachs, chief security officer at Pattern Computer.

Government steps in

There’s a newly elevated agency within the U.S. Department of Homeland Security chartered to protect the nation’s critical infrastructure. It’s called the Cybersecurity and Infrastructure Security Agency or CISA, and it’s led by Christopher Krebs, who previously worked on the government affairs team for Microsoft Corp.

Security expert Bruce Schneier (Photo: RSA Conference/livestream)

Security expert Bruce Schneier (Photo: RSA Conference/livestream)

CISA caught the security community’s attention when it issued an emergency directive during the government shutdown in January which required agencies to take immediate steps to protect systems against a wave of attacks against the domain name infrastructure. Identified as DNSpionage by Cisco Talos, the attacks compromised domains in more than 50 Middle Eastern companies and government agencies and also targeted private sector utilities.

In a briefing at RSA Tuesday, Krebs indicated that the U.S. government was prepared to take a tougher approach toward countries such as China whenever there’s evidence of tampering with the industrial supply chain.

“If I don’t trust it, I’m not going to use it,” Krebs said. “We are trying to create a framework for procurement.”

Security experts gathered in San Francisco this week had to be encouraged by the presence of a number of high-ranking government officials during the RSA Conference. In addition to Krebs, speakers included Christopher Wray, director of the FBI, and General Paul Nakasone, director of the National Security Agency. Yet there was also an undercurrent of unease that government and the tech industry may be simply talking past each other.

In his keynote address on Wednesday, Bruce Schneier, noted security researcher and a lecturer at the Harvard Kennedy School, devoted his entire talk to the need for policy makers and technologists to find a way to work together.

“Our work is deeply embedded in policy,” Schneier said. “Policy makers need to understand technology. Technologists need to understand the policy impact of their work.”

Schneier’s call for government and the technology community to grow closer comes at a time when the global critical infrastructure is under serious attack. Can the two sides work together before it’s too late?

In 1792, Thomas Jefferson and George Washington jointly designed the country’s first penny. The motto printed on the front read “Liberty-Parent of Science & Industry.” At the moment, liberty’s children appear to need more protection than they’re getting now.

Photo: Richard Weil/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU