Through the first half of this year, the number of U.S. data breaches reached a record 791, which is 29 percent higher than a year ago. And a survey of leading security experts at the Black Hat conference in Las Vegas, Nevada, last month found that 60 percent believed there will be a successful attack on the nation’s critical infrastructure within two years. Meanwhile, in meeting rooms throughout the week during the conference, attendees saw hypothetical hacking demonstrations of cars, banks, Internet of Things devices, air traffic control systems, power grids and industrial control networks.

While it’s tempting to focus on recent headline-grabbing ransomware attacks, such as WannaCry and Petya, top security executives are becoming more concerned than ever about the vulnerability of the world’s critical infrastructure, which has been classified by the U.S. government as 16 specific areas, from dams, energy and emergency services to healthcare and water. Still some experts believe that this vulnerability is not getting the attention it deserves, even among C-suite executives in the boardrooms of major companies.

“What I’ve found is that they [executives] recognize indeed that they are in the midst of another computing revolution. What they don’t quite recognize, though, is that we’re in the midst of a security revolution as well,” said Phil Quade (pictured), chief information security officer at Fortinet Inc.

Quade, who was hired earlier this year as Fortinet’s first CISO following an extensive career with the National Security Agency, spoke with Peter Burris (@plburris), host of theCUBE, SiliconANGLE Media’s mobile live streaming studio, at SiliconANGLE’s Palo Alto, California, studio. (*Disclosure below.)

They discussed the strategic nature of attacks against critical infrastructure, the danger of missing the subtle progress that hackers are making and the actions necessary to bring focus on finding effective protection solutions.

Warnings for nuclear plant operators

Attacks on critical infrastructure are increasing, as hackers become bolder and more advanced in methods to penetrate security defenses. Early in July, the FBI and the Department of Homeland Security issued new warnings to companies that operate nuclear plants in the U.S., which indicated that attacks have escalated since May. The government agencies said that Russian hackers may be behind the most recent attempts.

Critical infrastructure attacks are not limited solely to the United States. Government sources in Europe have acknowledged that Russian hackers have been attempting to penetrate companies that managed nuclear facilities in the United Kingdom as well.

These kinds of attacks are more worrisome, according to Quade, who is concerned about the strategic nature of attempts to hack critical infrastructure.

“I’m really worried about the threats that come at us from a strategic perspective,” he stated. “There are some countries that hope to hold our strategic assets at risk, and they would like to be able to impose their national will on the U.S. or other democracies.”

Sophisticated power grid attacks

There is another dimension to infrastructure attacks, what Quade refers to as a more “low-and-slow” approach, a gradual degradation of key resource protection for areas such as water or electricity. Hints at where this could lead can be seen in two documented attacks on the Ukraine power grid in 2015 and 2016. After a manual attack on Ukraine’s power grid 19 months ago briefly cut power for nearly a quarter-million of the country’s citizens in winter, another attack approximately one year later targeted transmission stations and circuit breakers using a fully automated model. In less than a year’s time, the hackers had developed a more sophisticated approach.

The malware used in the 2016 Ukraine attack (called CrashOverride and believed to have been launched through a phishing scam), was analyzed by security researchers for the Slovakian anti-virus firm ESET spol. s r.o. and Dragos Inc., which created an Industrial Cybersecurity Ecosystem. Their findings were presented at the Black Hat conference last month and attracted notice because of the malware’s ability to communicate directly with grid equipment and control functions. This loss of control gives hackers a newfound ability to create more damage over a longer period of time.

The evolution of threat vectors, where hackers essentially test malware, learn from their mistakes, and improve future versions is raising alarm bells for Quade and his colleagues. He said that the ability to see patterns in threat development will be a key part of protecting critical infrastructures.

“It’s the subtle ones that worry you,” Quade said. “You not only need to be prepared for the loud and stealthy ones, but also the low and slow ones.”

His point was further reinforced in a recent post by Derek Manky, Fortinet’s global security strategist, who highlighted an urgent need to deal with the growth of “Cybercrime as a Service,” automated attacks that get smarter and more pervasive as time goes on.

Quade told theCUBE that he believes one answer will be automation, the development of equally sophisticated tools to discern loss of control that human operators cannot see. “Human cognition is such that they’re not going to be capable of tracking these very low and subtle and slow attacks,” he said. “So you’ll have to use always-on analytics to find these kinds of things.”

Investment predicted to grow

Investment in new technologies to protect critical infrastructure is on the rise. The critical infrastructure protection market is predicted to increase from $110 billion to $153 billion by 2020, according to a new report released this month by Research and Markets. The security technologies sector (video surveillance, identity management) is expected to command the largest market share.

Whether this level of investment will be enough to avoid catastrophe is an ongoing question for top executives in the security industry. Quade said that addressing the protection problem in any meaningful way requires a long-term approach that is coordinated by the various security communities.

“The problem is so big and so important that we’re often paralyzed into inaction,” Quade explained. “I do know what those first five, 10, 15, 25 things are, as do other folks in the community, so why don’t we start acting on them now?”

One of the problems is that critical infrastructure is not owned, operated or protected by any one entity, including the U.S. government. “The government doesn’t have the authority nor resources or expertise to do such a thing,” Quade said.

Instead, the development of “muscle memory” through public/private partnerships will be a key factor in meeting infrastructure threats, he added. One example of this can be found in the Department of Homeland Security which has a Cyber Information Sharing and Collaboration Program between the public and private sectors.

There are similar activities outside of the United States as well. Kaspersky Lab held its first-ever cybersecurity summit in the Philippines this month. The focus of the conference was to promote the public/private sector sharing of intelligence and technology solutions.

The focus now should be on getting like-minded thought leaders together and agreeing on a plan of action, Quade stated. “This is a 10-year problem, not a one-year problem. We need to come together in new and innovative ways to get the security of the critical infrastructure to a much better place,” he concluded.

Watch the complete video interview below. (* Disclosure: Fortinet Inc. sponsored this segment on SiliconANGLE Media’s theCUBE. Neither Fortinet nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE