The fear of a state or terror-group-sponsored cyberattack on the nation's infrastructure was again highlighted by a pair of news stories this week that indicated such groups may have accessed the United States' electrical grid as well as a dam in New York State.
The Associated Press reported that hackers, possibly from Iran, had opened a pathway into the nation's power grid and taken passwords and schematic drawings enabling a strong follow-up attack. In addition, another group, again possibly Iranian, may have attempted to gain access to a dam located in New York. While there was no sign a breach took place, this incident was described as a probe of the dam's defenses, according to The Wall Street Journal.
The current crop of attacks should prompt a response from not only the potential targets, but from government and internet security firms, said industry watchers.
“Every critical industry should sit up and take note of this report,” John Stroup, CEO of Belden, told SCMagazine.com in an email Monday. "We should assume that these attacks are not limited to our electrical grid. Every industrial, defense and manufacturing organization should immediately evaluate their own cybersecurity controls and take steps to reduce risks."
These incidents may indicate that the electrical utility and other infrastructure companies not only need to spend more on defensive measures, but do so quickly to head off a disastrous attack, Tim Erlin, director of IT risk and security strategy at Tripwire, said in a statement.
Stroup agreed, adding, “The reality is that our current level of investment in industrial cybersecurity is not sufficient. We need cybersecurity solutions that are crafted to address the unique requirements of these industries.”
“The energy industry, including electrical utilities, requires substantial investment to tilt the playing field toward defense," Stroup said. "At the moment, the attackers have the advantage. We cannot wait for a significant incident to change our behavior with regard to critical infrastructure cybersecurity. We're not talking about financial loss and recovery here. We're talking about safety and potential loss of life."
One of the more straightforward methods of mitigating the problem is to properly “air gap” power and other utilities from the internet – essentially sealing them off so hackers can't use their normal attack vectors to gain access.
Pierluigi Stella, CTO of Network Box USA (left), does not see any reason, other than convenience, for having these systems exposed to the internet. While this is not a perfect fix, it could go far toward protecting these critical systems.
"I would ask, why does a supervisory control and data acquisition (SCADA) system controlling a power plant or a distribution plant or any plant for that matter, need to be on the internet?,” Stella told SCMagazine.com Monday in an email. "I would say, we should make it mandatory that the subnet for SCADA be at least isolated with its own firewall and IPS, and access granted only in one direction – egress."
However, air gapping may still not be enough to ensure protection. Carl Herberger, vice president of security solutions at Radware, said the United States' infrastructure is simply too tempting of a target for too many groups to rely on just one method.
“The U.S. needs to be up and always on, so it makes sense for a state- sponsored [group] to want this level of access,” Herberger said, adding that there is precedent for such an attack with Brazil's grid being taken down several years ago and Anonymous doing the same to the Philippines last year.
Anonymous also claimed credit on Dec. 21 for the massive distributed denial of service attack that crashed Turkey's internet access.
Stella added that while an attack on the power system would be a major problem, an incursion into the water system falls into a much more severe category.
“While power can leave you in the dark, massive amounts of chlorine or fluoride released “accidentally” in the water system can poison and even kill people,” he said. "We cannot play loosely with these issues. We need to realize that our enemies can use these vulnerabilities in a war against us."
The primary reason infrastructure targets are so vulnerable is that most were constructed when the most important security measure was building a tall fence around the facility. No care was taken to harden them from internet-based attacks. This means a huge influx of capital is needed to bring their online defensive measures up to speed, money that is not always available.
Herberger noted that many utilities are managed or supervised by states and local municipalities. These are usually not only short on funding for something like cybersecurity, but have budgets and a planning process that is laid out years in advance, making it difficult for them to quickly react to a threat.
UPDATE: An earlier version of this article stated that security researcher Brian Wallace discovered the Bowman Avenue Dam intrusion. Cylance, Wallace's employer, clarified that DHS notified the officials in the city of Rye of the attack. Wallace worked on research involving Operation Cleaver, a separate cyber incident that was conducted by the same group, according to Cylance.