One of the sessions I attended at CEIC 2013 was cybersecurity expert and former FBI counterterrorism and counterintelligence operative Eric O’Neill’s talk, “How the World Will End: The Spy Is in the Cybersphere.” One of the many very interesting points he brought up was his belief that the critical infrastructure will be attacked, and that attack will be soon. I turned to the woman sitting next to me and said, “I’m glad I’m not the only one who has been saying that.” After the session, O’Neill and I spoke briefly about his comments, and we agreed that predicting such a breach isn’t really going out on a limb, but it was time that we all began to understand the seriousness of a potential breach.
Two days after I returned home, my session partner sent me an email, with the note, “Did you see this?” She included an article titled “Iran Hacks Energy Firms, U.S. Says Oil-and-Gas, Power Companies' Control Systems Believed to Be Infiltrated; Fear of Sabotage Potential.” According to the Wall Street Journal article:
In the latest operations, the Iranian hackers were able to gain access to control-system software that could allow them to manipulate oil or gas pipelines. They proceeded "far enough to worry people," one former official said.
The article went on to echo a theme of CEIC’s cybersecurity component – while the Chinese are a serious threat, that threat is mainly to our intellectual property (and in my not so humble opinion, it is the growing threat of losing money based on that intellectual property that will eventually make corporations take cybersecurity more seriously). It is other countries, particularly those in parts of the world with unstable or dictatorship-type governments, that are going to be the real threat to our national security and our critical infrastructure.
Tom Cross, director of security research at Lancope, told me in an email:
Industrial control systems such as those used to control oil and gas pipelines are more interconnected with public networks like the Internet than most people realize. It is also difficult to fix security flaws with these systems because they aren't designed to be patched and restarted frequently. It is extremely important that operators of industrial control networks monitor those networks with systems that can identify anomalous activity that might be associated with an attack.
However, as Anthony DiBello, strategic partnerships manager at Guidance Software, pointed out to me, monitoring those networks isn’t as efficient as it could be or should be:
The scary yet untold part of this story is it probably took the energy companies months to figure out they had been compromised, and then it takes even longer to figure out the extent of the infiltration. This is a dangerous threat because the hackers were able to gain access to control-system software vs. DoS.
I read an article after the $45 million bank cyberheist that stated the real cybersecurity threat isn’t to the critical infrastructure, but to the financial industry. The article said that we deal with blackouts and water shortages all the time during hurricanes and other acts of Mother Nature. I think the author missed the point. This isn’t an “all or nothing” situation. Yes, fooling around with the financial sector has a danger all its own, and we saw how the breach of AP’s Twitter account, the one that said the White House was under attack, can affect the markets. But a cyberattack on the critical infrastructure isn’t going to be the same as the power going out after a bad storm. It will be a layered attack – first the infrastructure, which will lead to the financial sector.
So the question we must ask is why is the critical infrastructure so connected to the Internet and outside sources? And then, what security steps are being taken on the inside to make sure the networks that aren’t connected aren’t corrupted by an attack in the manner of Stuxnet, which happened via flash drive.
It’s time to start paying attention to the critical infrastructure. As DiBello said to me, the experts aren’t over-hyping the threat. It is real.