Among the already scary global state of affairs, cybersecurity and critical infrastructure are also areas that have become increasingly tense. In July, The Economist ran a special section on cybersecurity, and one of the stories focused on critical infrastructure attacks. One passage explains perhaps the key issue driving the underlying threat to the world’s critical infrastructure, and it involves the way in which supervisory control and data acquisition (SCADA) systems, which control network operations, have evolved:
Many of these were designed to work in obscurity on closed networks, so have only lightweight security defences. But utilities and other companies have been hooking them up to the web in order to improve efficiency. This has made them visible to search engines such as SHODAN, which trawls the internet looking for devices that have been connected to it. SHODAN was designed for security researchers, but a malicious hacker could use it to find a target.
So everyone knew this was a problem and reacted accordingly, right? Actually, no. A July survey and report sponsored by Unisys and conducted by the Ponemon Institute included responses from almost 600 security execs at utility, oil and gas firms. FierceHomelandSecurity said that Ponemon found that security programs generally are not fully deployed and more than half are vulnerable to threats that potentially affect critical infrastructure.
Ponemon also found that more than half of respondents are unsure or are not confident that legacy equipment can be upgraded cost effectively. Also, about one-third of respondents “do not get real-time alerts, threat analysis and intelligence that can help stop or lessen a cyber attack.”
If the good guys are not paying enough attention, it would follow that the bad guys aren’t either, right? Again, no. The report said that just shy of 70 percent reported one or more breaches during the past year. The Ponemon study, which was sponsored by Unisys, found that confidential data was lost or operations disrupted due to the breaches.
However, it seems that more elected officials are getting with the cybersecurity program. Indeed, the danger of cyber threats to critical infrastructure has done the seemingly impossible: It got the House of Representatives to act. Bank Info Security reports that three bills recently passed, at least two of which deal directly with this topic: The National Cybersecurity and Critical Infrastructure Protection Act, the Critical Infrastructure Research and Development Advancement Act and the Homeland Security Cybersecurity Boots-on-the-Ground Act.
The business groups and the American Civil Liberties Union, which generally take opposite sides on legislation, both backed the legislation:
The bill, if enacted, would codify the National Cybersecurity and Communications Integration Center, an agency within the Department of Homeland Security that fosters real-time cyber threat information sharing with critical infrastructure operators. It also would establish an equal partnership between industry and DHS, and ensure that DHS recognizes industry-led organizations to expedite critical infrastructure protection and incident response.
The bottom line is that few things are as frightening as the idea that terrorists, organized gangs and other bad folks can influence our heating, power, sewage, traffic lights and other infrastructure elements. But they can, and work to stop them must accelerate.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at [email protected] and via twitter at @DailyMusicBrk.