Cyber attacks on critical infrastructure targets. On Wednesday the Central Intelligence Agency (CIA) told an international gathering of government officials, engineers and security managers from electric, water, oil & gas and other critical industry asset owners that the CIA has information that cyber intrusions into utilities was responsible for at least three blackouts and then followed up with extortion demands.
The CIA went on to say they suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. The very next day the Federal Energy Regulatory Commission (FERC) approved eight mandatory cyber security standards that extend to all entities connected to the nation’s power grid. The following are the eight areas addressed by these standards:
1. Critical cyber asset identification
2. Security management controls
3. Personnel and training
4. Electronic security perimeters
5. Physical security of critical cyber assets
6. System security management
7. Incident reporting and response planning
8. Recovery plans for critical cyber assets
These eight standards were created to increase the security of our CIP and reduce the risk of a successful attack. Disruption of a countys critical infrastructure would have significant direct and indirect damages. Most of these damages would be psychological, economic and financial. Analysis of a cyber attack on critical infrastructure targets resulted in the following data:
Target value: High
Impact analysis: Elevated
Required skills: Moderate
Attack costs: Low
Current defenses: Moderate (elevated for nuclear sites)
Facts
- Utilities across the world are being hit by an estimated 500 to 1,000 attacks from hackers and malicious code every year.
- Technolytics analysis found insider threats now account for over 80 percent of security breaches.
- The Spy-Ops Cyber Warfare CIP training program stated the two areas of greatest critical infrastructure cyber threat is equipment, hardware and software vendor management and human resource management.
- Technolytics analysis found physical and information security responsibilities must merge to improve security.
- Critical Infrastructure targets are on the top targets for terrorists and military cyber warfare units.
(Reference link here.)
– Kevin Coleman
{ 10 comments… read them below or add one }
Sounds just like the latest Die Hard movie
Glad someone beat me to saying that.
If I was the owner, I would be extremely mad to learn that it was done from the inside.
What is the old saying Art imitates reality or is that now reality imitates art?
Why was CIA on its move? Was China involved? Were Chinese Americans providing support to the Chicoms to test internal assisted cyber attacks?
Given the three cities/regions were outside the US, they were in a monitoring and support role to our International friends. At this point no one can say if China played a role and if their supporters provided insider information. Investigating these types of attacks is a long drawn out effort and very complex. Few people are highly skilled at computer forensics. In a cyber war, smarts is the raw material of weapons. That being said the US has seen double digit decreases in students deciding to get computer and information science degrees in the lase several years. We are in a dangerous situation that even if we act right now will take years to change!
China? Hah, hardly the MO. If there was extortion demands after the cyber attack I would bet the farm that it was Russian or other Eastern European criminals. You can’t assume every attack is politically based, you should never forget the basic human condition of simple greed. As a side note, if you have your grid set up so someone can get inside the controls from the internet, you have failed as a IT professional.
Kevin, can you please explain to me how it’s even possible to attack a utility’s network? I mean, why in the world would the utilities have their networks exposed to the Internet? If they do, then they must have complete retards working there. I know for a fact that all the nuclear power stations here in Ontario have absolutely no access to the Internet. If they aren’t connected to the Internet, then there shouldn’t be any way to hack in.
Also, the tremendous drop in Computer Science and IT enrollment has to do with the dot com crash. Now applicants are only people who are interested in the field, not random people off the street who think they can get rich quick if they go into the tech field.
Those of us in the pen test business have been telling customers for years that they need to improve internal security and audit capabilities.
They never do…until something happens.
On a side note. Kevin is right on in his assessment of the professional state of the IT and engineering careers in the US. Far too many corporations look to other countries for cheap (notice I didn’t say inexpensive). I once listened to Sam Palmisano (CEO of IBM) tell over a hundred engineers at one of its US development centers that they executives were NOT looking to the US for future talent.
We’re fighting a losing battle. As one of the most technologically advanced countries in the world, we’re dependent on an infrastructure we can’t even defend.
I wish I could draw you a diagram of the incident I uncovered at one company it would be easier to explain how the grid control systems got cross connected to computers with internet connections. But since I don’t let me give you the text versions.
1. A vendor software packages needed on the control system for the company had a maintenance application that used the internet.
2. On individual whose PC was on the internal control network put a wireless hub on his PC so he could connect to the internet.
3. A back-up server for load balancing that could be assigned to support both internal control networks and non-control networks thus providing a bridge between the two.
Those are the three that I have seen. I bet the other readers can come up with other possibilities.
See the difference, stealing data, attacking databases, Chinese, shutting down networks, extortion, criminals, typically Eastern European. No need for diagrams, a lazy IT worker hooks up to the internet for an update, classic. No, no, don’t download the update, check for viriii, burn to CD and deploy, just take down all security, it’s easier.