Black Hat is coming up later this month, but as a preview, a survey of attendees has been released. Portrait of an Imminent Cyberthreat touched on many issues about the current state of cybersecurity, such as the lingering effect of the election hacking scandal and the likelihood of their own companies being the victim of a cybersecurity incident. But here is a statistic that jumped out at me:
60% of respondents believe that a successful cyberattack on US critical infrastructure will occur in the next two years. Only 26% are confident that U.S. government and defense forces are equipped and trained to respond appropriately.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
This is a striking statistic simply because of other news that broke about the same time the survey became public. According to the New York Times, the computer systems at nuclear power plants have been the target of hackers. It’s unknown at this time what the exact intent of the hackers is, such as stealing intellectual property or causing physical damage, and as of now, no threat to public safety exists, but the attacks are enough to cause investigators to call for the second-highest level of security threat warnings.
It comes down to an old problem, Paul Edon, director of international customer services at cybersecurity firm Tripwire, told me in an email comment. The industrial control systems are now connected to the internet, but the systems were never designed with security in mind. This leaves them vulnerable to attacks. He added that all industries should take these hacking attempts on nuclear plants as a warning:
For any business that has an industrial control system footprint, whether in manufacturing, transportation or energy, now is the time to evaluate how the environment is being secured. Failure to do so could result in a devastating attack, which could cause serious damage or even endanger public safety.
Edon recommended that organizations review one of the available ICS Cyber Security Frameworks, such as NIST Guide to Industrial Control Systems (ICS) Security or CPNI - Security for Industrial Control Systems Framework, which will outline the challenges requirements, and responsibilities regarding areas like governance, business risks, education and skills, vulnerability management, and security improvements.
Nuclear plants are in the news right now, but expect this type of news to spread through to other areas of the critical infrastructure (and, for what it’s worth, I agree with the assessment that we should expect a major attack on the critical infrastructure sooner rather than later). As Chris Olson, CEO of The Media Trust, told me in an email comment:
The ability to hijack legitimate websites to execute individually targeted malware attacks is easier than most IT/security professionals realize. The process to deliver customized, browser-rendered content -- use of behavior profiles to recommend user-specific content -- is the same one leveraged by bad actors to target their campaigns. Traditional security tools -- blacklists, whitelists, generic threat intelligence, AVs, web filters and firewalls -- are proving inadequate defenses against today's dynamic websites, including government websites.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba