Posted: 4 Min ReadFeature Stories

Countdown to Catastrophe? Critical Infrastructure Bracing for 2018

Rising chorus of security experts urge action in advance of major attacks likely to hit within the next couple of years

When hackers affiliated with the Iranian government broke into the command and control system of a dam in upstate New York in 2013, one of cyber security’s worst-case scenarios suddenly became real.

This time we got off lucky. In its indictment, the US government said that the attackers failed to release water from behind the Bowman dam in Rye, New York because the sluice gate had been manually disconnected for maintenance at the time of the intrusion.

But as more companies in critical sectors such as energy, telecommunications, finance and utilities connect to the internet, there’s the heightened risk that foreign attackers will try to infect, and potentially cripple, U.S. infrastructure, putting lives and property at risk.

Indeed, the Federal Bureau of Investigation warned this past October that attackers were targeting the nation’s nuclear, energy, aviation, water and critical manufacturing industries, as well as government entities.

That unnerving prospect has not gone unnoticed by the people responsible for protecting the most critical sectors in the U.S. After holding regular, off-the-record meetings, a working group of security experts meeting at MIT the last two years warned the White House that “no one fully understood” how connected the electric industry is with other sectors, and therefore “did not sufficiently understand the risk of catastrophic, macroeconomic failure.” Further, the group faulted the government for “uncoordinated” actions on cyber security and “scattershot research and urged accelerated actions to protect the nation.

The MIT report, which got released in March, also predicted “destructive attacks” will take place within the next two years. Two months later, the WannaCry ransomware attack caused billions in damages, including freezing up some healthcare systems in the U.S. and overseas.

“We know that a number of increasingly sophisticated criminal organizations, as well as several nation states, could disable our critical infrastructure,” said Joel Brenner, who authored the MIT report.

“We have now put our security in the hands of hostile parties to be exploited at their discretion. If that doesn’t equal urgency, I don’t know what does,” said Brenner, a former counsel at the National Security Agency, and the former head of U.S. counterintelligence under the Director of National Intelligence.

The energy sector is being targeted, in particular.

Symantec, in early September, said that an overseas group known as Dragonfly has renewed its probing and attacks of utility operational systems. The report prompted two U.S. Senators, Ben Cardin and Chris Van Hollen, both Democrats from Maryland, to contact the Department of Homeland Security to inquire whether their state utilities were attacked, The Baltimore Sun reported.

The U.S. identifies 16 critical infrastructure industries, but the MIT meetings focused on what may be the most critical: Electricity, finance, communications and oil and natural gas.

Kunal Agarwal, general manager of Internet of Things at Symantec, said these industries have strong security governance around their user-focused systems. The problem centers around the cyber physical asset controls, he said.

The operational technology (OT) is “kind of forgotten,” said Agarwal. “We consistently see different types of devices -- machines -- that are largely unprotected because they are [running] end of life, end of service operating systems and those systems are not easily replaced,” he said.

The merging of IT and OT “is really realizing more and more threats,” according to Agarwal. OT technologies control physical devices and processes.

One approach to making OT more resilient is for “behavioral-based lockdown” technologies. Instead of security focused on anti-malware, the idea is take every single process “and put it into its own jail cells” so it’s only able to access a finite amount of memory, file and network resources. The behavior of those systems can then be “defined and then controlled,” he said.

Cyber vulnerabilities are sometimes the consequence of bad business decisions. For instance, businesses put generators in basements in Manhattan buildings, despite being at sea level. These backup generators flooded during Hurricane Sandy, said John Pescatore, SANS Institute director of emerging security trends.

“In most cases it’s much harder for cyber itself, without the bad business decision, to be the cause of catastrophic things,” said Pescatore. “But when you combine a bad business decision -- like we’re not going to patch Apache Struts -- with the things that can happen in cyber, then you can get really bad things to happen,” he said.

Big Attacks Only a Matter of Time

The warnings about cyber vulnerabilities to critical infrastructure are getting louder, especially over the last year.

The MIT group said it concurred with an open letter written in December by Edward Amoroso, the retired senior vice president and CSO of AT&T, to then President-Elect Trump. Advances in offensive capability “make it inevitable that significant, large-scale attacks will be launched” during Trump’s time in office. These attacks will shift from IP theft to destructive attacks, he wrote.

One approach to making OT more resilient is for “behavioral-based lockdown” technologies.

As serious as WannaCry was, it was a known risk. Affected organizations didn’t heed the warnings and make the needed system updates. A security researcher discovered a kill switch in the code that was used to shut the attack down.

“We got lucky,” said Gregory Touhill, a retired U.S. Air Force brigadier general and cyber security expert, about Wanna cry in his testimony for a U.S. House hearing in June. “I believe Wannacry was a slow-pitch softball while the next attack is likely to be a blazing fastball,” he said.

Brenner puts it this way: “Imagine what would happen if one of these organizations executed a ransomware attack on the electric grid of one our cities?”

“This isn’t fantasy stuff anymore. I think we are going to see things like this,” said Brenner.

About the Author

Patrick Thibodeau

Journalist

Patrick Thibodeau is a veteran technology writer whose work has appeared in Information Week, Federal Computer Week, IEEE-USA, InSight news and TechTarget

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.