To put it in somewhat technical terms, the nation’s industrial control systems (ICS) – part of its critical infrastructure – are not only vulnerable to compromise, they are likely compromised right now.
Or, in Paul Dant’s much more blunt, and less technical terms, “your sh-- is f--ked.”
Dant, chief strategist and managing principal at Independent Security Evaluators, was one of three experts on a panel titled “Securing Industrial Control Systems” at the recent Security of Things Forum in Cambridge, Mass.
He added that he believes more attacks on US critical infrastructure are inevitable. “To think that stuff is not vulnerable is a complete fallacy.”
He got no disagreement from his fellow panelists, who followed an afternoon keynote address titled, “In Praise of Junk Hacking” by Travis Goodspeed, an independent security researcher, who demonstrated how to hack much less critical devices like graphic calculators, but noted that the ways to compromise them applied to, “things we do care about.
“These are the exact same techniques that can be used to attack your ICS,” he said.
Matt Clemens, security solutions architect at Arxan, agreed. “All the things that are running parts of these bigger systems are made up of things that people work with in smaller systems every day,” he said.
The panelists agreed that owners and operators of ICSs should assume not just that their systems are vulnerable to attack, but that attackers are already on the inside.
Paul Dant, chief strategist and managing principal at Independent Security Evaluators
It is not that such attacks are new – the discussion included references to the hack of Ukraine’s power grid last December, in which about 225,000 people lost power for about three hours; the Shamoon virus attack on Saudi Aramco; and Stuxnet, the computer worm attributed to the US and Israel, used to attack and destroy a portion of Iran’s nuclear facilities.
None of these were a surprise, said Andrew Kling, director of cyber security and architecture at Schneider Electric. “I’m surprised we don’t hear about more of them,” he said.
That, as has been widely reported, is because most ICSs were not designed with the expectation that they would be connected and remotely controllable.
It is also a matter of priorities. The acronym CIA – Confidentiality, Integrity and Availability – was mentioned more than once during the day, with most agreeing that the first two on the list were more important than the third.
But Kling said availability is the priority in ICS – if they aren’t available, people could be without electricity, water and other critical services. And until more recently, security has not even been a requirement.
The other problem, he noted, is that the ICS industry doesn’t move at a pace even close to that of technology in other fields. When a device is implemented, he said, “we’re talking about 18 years of support for that device. Just think about where we were 18 years ago – that’s how far forward we have to look.”
Dant said the industry remains in denial. “We’re so far away from acknowledging the problem,” he said, adding that he thinks ICS is simply not ready to be connected to online networks.
“I would tell a client that,” he said. “Let’s postpone some of this massively quick adoption of this technology.”
Kling said industry leaders will not be convinced of the need to harden their systems simply through scare stories, however. “Fear doesn’t work,” he said. “You have to talk to them in language they understand, which is their bottom line, or damage to their brand.
“Is an incident going to make their stock fall 20% or 2%?”