Companies, government unprepared for new wave of cybersabotage
Intelligence not the only part of government that has struggled. Senate has not moved on legislation to back President's order on cybersecurity
By Antone Gonsalves
May 14, 2013 — CSO — A new wave of cyberattacks reportedly aimed at industrial control systems comes at a time when private companies and government are still struggling to protect the nation's critical infrastructure, experts say.
The New York Times reported on Sunday that the attacks were aimed mostly at U.S. energy companies. Rather than looking for intellectual property or sensitive information, the hackers were using probes to look for ways to seize control of processing plants.
While government officials did not know if the attacks were state-sponsored, the origin appeared to be somewhere in the Middle East.
The fact that senior government officials who spoke to The Times were unable to pinpoint the source of the attacks indicates a lapse in the work of the intelligence community, said Stewart Baker, a partner at the law firm Steptoe & Johnson and a former assistant secretary for policy at the Department of Homeland Security (DHS).
"The most disappointing aspect of the story so far is the inability of the intelligence community to attribute the probes," Baker said. "That's embarrassing."
"The intelligence community has faced cyberintrusions for 20 years, yet it has been unable or unwilling to provide much useful attribution information," he said.
The intelligence community is not the only part of government that has struggled in helping the nation defend against cyberattacks. Congress remains at odds over the privacy implications of legislation that would require companies to share data with government agencies.
President Barack Obama issued this year an executive order requiring government agencies to share cyberattack information, but the reverse will require action by Congress.
Government regulation by itself is not a panacea. Joe Weiss, an industrial security consultant and managing partner of Applied Control Solutions, said electric utilities often refuse to be a test bed for cybersecurity technologies because of the "onerous audit requirements." The mandates are contained within the Critical Infrastructure Protection rules established by the North American Electric Reliability Corp.
Weiss has been able to find only one electric utility willing to be a test bed. That company is too small to fall under NERC CIP. "I shouldn't be in a position to say 'only,'" Weiss said. "There should be a few or one of (many), but not only."
Attackers bent on sabotage is not new. Many experts believe the pace of cybersabotage efforts increased after the U.S. and Israel damaged Iranian nuclear facilities several years ago with the Stuxnet worm.
Iran is believed to have retaliated last year with the attack on Aramco, Saudi Arabia's national oil company and one of the world's largest producers. The intruders wiped data from office computers, but failed to reach production systems, which were the main target.
Private companies running much of the nation's critical infrastructure from oil production and the electric grid to manufacturing facilities and water treatment plants know of the potential damage from cyberattacks. However, the reason warnings keep coming from government officials is because not enough is being done in the way of defense.
"There's nothing necessarily new," Weiss said. "The issue more than anything is people still aren't doing an adequate job of protecting themselves."
The Aramco attack failed because the company had one network for its administrative offices and a separate one for its production facilities. While this is considered a best practice, the deployment and maintenance costs are much too high for most companies. Therefore, the alternative is tight access controls.
"Not just firewalls, but controlling the systems that can make these changes and doing that from one point," said Ron Gula, chief executive of Tenable Network Security who worked for the National Security Agency (NSA).
For some companies, a cultural change may be necessary to shore up defenses. Rather than have facility workers and security professionals working separately, the two should collaborate on locking down industrial systems.
"These are cultural challenges where IT and engineering have historically always been separated," said Rick Holland, an analyst with Forrester Research. "This must change, and although many organizations are aware of this, the pace of change is glacial."
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.