By Ian Kelly, CHPC, National Sales Manager, Data Breach Solutions, ID Experts
Cyber attackers want to turn out the lights—literally. And they’re on their way to succeeding, according to a 2016 energy study by Tripwire. More than 75 percent of the study participants, which included over 150 IT professionals in the energy, utilities, and oil and gas sectors, said the number of successful cyber attacks in their organizations has increased in the past 12 months.
Protecting the Valuable Dinosaurs
Cyber attackers, including those from hostile nation-states, are aiming their sights on critical infrastructure for a couple of reasons. Few things can cripple an economy and leave a population vulnerable as quickly and as efficiently as shutting down utilities, oil refineries, and the like. Alexander Polyakov, founder of security firm ERPscan told Motherboard that the oil and gas industry is “a juicy target for cyberattacks, as oil and gas companies are responsible for a great part of some countries’ economies.”
Admiral Mike Rogers, director of the NSA, agreed. He told Charlie Rose that the U.S. government has identified 16 areas in the private infrastructure that have “significant implications” for the nation’s security. “Think about power,” he said. “Think about water. Think about financial, aviation…one of the missions for U.S. Cyber Command is, if directed, and we find those areas under significant threat, how do we bring our capabilities to be able to attempt to forestall that activity from being successful.”
In addition to their significance, these “juicy targets” are easy prey for attackers, because they are old and lack adequate security controls. According to U.S. News & World Report, most of the electric utilities in the United States used Windows XP as recently as 2014, which is an outdated operating system that left the utilities vulnerable to breaches.
Admiral Rogers addressed this issue, saying that the nation’s power grid wasn’t built over the past several decades with “cyber intrusions” in mind. “We’re trying to overcome decades of investment that were made in a very different world in which this threat just really wasn’t perceived to be anything of significance,” he said.
For Cyber Attackers, Success Is Sweet
“Successful” cyber attacks—for the purposes of the Tripwire study—mean that hackers breached one or more security controls, such as firewalls or antivirus programs, according to U.S. News & World Report. What’s worse, more than 80 percent of respondents in a Tripwire RSA survey believed that a cyber attack will cause physical damage to critical infrastructure in 2016.
“It’s tempting to believe that this increase in attacks is horizontal across industries, but the data shows that energy organizations are experiencing a disproportionately large increase when compared to other industries,” Tim Erlin, director of IT security and risk strategy for Tripwire, said.
Last September, USA Today reported that attackers had successfully compromised the U.S. Department of Energy’s computer systems 159 times between 2010 and 2014. The National Nuclear Security Administration, an agency within the Energy Department that is responsible for managing and securing the nation’s nuclear weapons, suffered 19 successful attacks during that time.
“The potential for an adversary to disrupt, shut down (power systems), or worse…is real here,” Scott White, professor of Homeland Security and Security Management and Director of the Computing Security and Technology program at Drexel University, told USA Today. “It’s absolutely real.”
Real Damage, but More Reconnaissance—for Now
Physical damage of critical infrastructure due to cyber attacks is not theoretical. Admiral Rogers cited the attack in 2014 that plunged Sony into what the New York Times described as the “digital dark ages.” Then there was the 2015 attack on Ukraine’s power grid that left hundreds of thousands of residents without power.
Of course, the vast majority of successful intrusions don’t cause such widespread havoc. But complacency is dangerous, as attackers seem to be probing for system weaknesses—knowledge that can be used in future attacks, Tripwire’s Smith said.
There is an inevitability to these attacks, Admiral Rogers pointed out. “We’re watching nation states engage in activity we believe is designed to generate knowledge about those infrastructures in the United States,” he said. “…at some point this is going to move from the theoretical…to an actual event. To me, it’s a question of the when, not the if.”
The United States is not the only country concerned about the likelihood of cyber attacks on critical infrastructure. Earlier this month, the European Parliament passed the EU network and security directive (NIS), which establishes common cybersecurity standards for critical infrastructure that spans national boundaries.
“This directive will establish a common level of network and information security and enhance cooperation among EU member states, which will help prevent cyberattacks on Europe’s important interconnected infrastructures in the future,” Parliament’s rapporteur Andreas Schwab, MEP for Germany, said in an SC Magazine UK article.
While hackers lurk in the shadows, gathering intelligence on our most critical systems, we must be out in the open taking preventive, proactive measures. If (and when) attacked, a successful response incorporates A Proven 12-Step Process that includes the four main stages of the data breach response process. We must take advantage of our interconnected world to protect not only our own interests, but also everyone around us. Because when it comes to critical infrastructure, we’re all vulnerable.
[clickToTweet tweet=”Cyber Attacks on Critical Infrastructure on the Rise” quote=”Cyber Attacks on Critical Infrastructure on the Rise” theme=”style3″]