The likelihood that critical infrastructures are woefully vulnerable has been predicted for many years by a few in security circles. Sadly, the reality hit home again last week with the disclosure of ongoing hacks on utilities at national and international levels.
The discovery of the Stuxnet worm last year and DuQu (son of Stuxnet) discovered recently marked a turning point, as we move into an era where the prize for industrial sabotage and industrial espionage has never been easier to attain.
Saying “told you so” may provide a warm glow for a few, but it brings no solutions, as shown in Norway by the news that hackers have been targeting companies at the heart of the country’s critical infrastructure, with at least 10 firms losing industrial secrets and information in a series of ongoing attacks.
Cleverly targeted phishing emails sent to specifically named personnel is a favored attack method of the modern day industrial spy and an everyday occurrence that most companies have to deal with. In this case, employees in organizations in the oil, gas, energy, and defense industries, some of whom were in the middle of major contract negotiations, were sent emails that, on the face of it, appeared to be legitimate, even containing references to current consultations. Once opened, an attachment unleashed a virus into the computer system where it surreptitiously rooted around until something of interest was found, swiftly and neatly retreating with that information.
Many companies were not even aware that they had been attacked -- and here we come to the reality that the hackers are not just penetrating systems for an hour or so. Invariably, they are inside and happily involved in data exfiltration for many months!
The Norwegian National Security Authority (NSA) said that it was releasing this information -- the first time it has revealed comprehensive details of espionage attacks -- in the wider interest of public safety; and Norway is by no means on its own. Several countries have reported attempts to steal or gain access to information on critical infrastructure.
In Japan, for example, it is fairly certain that Mitsubishi Heavy Industries Ltd.,has lost information on vital defense equipment, including nuclear power plant design and defense equipment data. And remember the attack on Lockheed Martin.
The NSA cites repeated reports of attacks on arms manufacturers in the United States, including the RSA hack, the Booz Allen Hamilton hack, and others. After numerous disclosures on document pilfering, the stakes have also been raised with the highlighting the seriousness of another such attack after an official report, "Public Water District Cyber Intrusion," issued by the Illinois Statewide Terrorism and Intelligence Center, failed to join up the many loose ends.
After numerous disclosures on document pilfering, the stakes have also been raised with the news that the hack of the public water SCADA (supervisory control and data acquisition) system in South Houston, Texas, disabled water pumps.
Control systems cyber security expert Joseph M. Weiss caught press attention by highlighting the seriousness of another such attack after an official report, "Public Water District Cyber Intrusion," issued by the Illinois Statewide Terrorism and Intelligence Center, failed to join up the many loose ends. highlighting the seriousness of another such attack after an official report, "Public Water District Cyber Intrusion," issued by the Illinois Statewide Terrorism and Intelligence Center, failed to join up the many loose ends.
For example, Weiss pointed out that other water utilities remained in the dark about the incident; a SCADA software vendor may have been hacked, with customer usernames and passwords stolen; and better coordination and disclosure were required of the government.
Further, a message supposedly from the hacker, pr0f_srs, providing pictorial evidence of the waste water plant, claims the Department of Homeland Security is stupidly downplaying the vulnerability of the national infrastructure.
(Note: Weiss removed his account of the attack when it became clear that information released at the time was 'misleading'. Weiss highlights instead several lessons learned from the event.)
So, is it time for a rethink?
Why is it increasingly the case that more and more core industrial control systems for critical infrastructure are connected to the Web anyway? Let us accept the reality that anything connected to the Internet can and will be hacked and very likely open to sabotage.
Likewise, users with access to sensitive or secret information are the prey of spear phishing hackers. We continue to make it easy for them by focusing on our own access convenience.
As a good, streetwise friend in the security community recently pointed out: “I keep telling the clients, and especially the bigger ones, just assume the hackers are already inside.”
For enterprises, utilities, and corporations this would be a better starting point than avoiding the problem.