Aug
27
Cyberattack Risk Assessment
“[I]n 1945 we were the protagonists with the new weapon. Now, we are the ones who are likely to be on the receiving end. If the Trump administration doesn’t act quickly and decisively, it may be a very cold winter.” — Steve King, COO of Netswitch Technology Management
A couple weeks ago, I wrote about hackable vehicles. Serious as that is, the potential dangers are minuscule compared to this week’s topic.
With all of the hullaballoo of late regarding who at the White House is quitting, getting fired or reassigned, an important report from the National Infrastructure Advisory Council (NIAC) has been overlooked by many. This task force, commissioned by the National Security Council (NSC), has “review[ed] and evaluate[d] a long list of ways the federal government determines how to secure critical infrastructure — such as dams, bridges, power grids, and airports — against targeted cyberattacks.” As per Steve King at Lifezette,
“They have assessed our national risk and have declared it real, present and high….
The task force recognizes that most critical national infrastructure (CNI) in the U.S. is privately owned and poorly defended, and it is particularly vulnerable to cyberattack because it relies on outdated software, third-party utilities, and interconnected networks.
The ability to run their systems remotely, as well as update software via the web, gives hackers all the access they need. These interconnected networks are even more tempting because they usually control operations as well, magnifying the impact of an attack.
Attacks against operations technology (OT)… can easily produce kinetic effects — such as opening flood gates, shutting down grids, and destroying control circuitry.
The report confirms the contention that while the government and the private sector may have lots of appropriate technologies to defend critical systems, they have not been applied in a way that can be effective against an adversary in cyberspace. This conclusion has been demonstrated in study after study and shared by most cybersecurity professionals in the private sector.”
Outrageous! It is absolutely inexcusable that the various government offices that deal with these systems (sometimes via contractors) and owners/administrators in the private sector have allowed the situation to get this bad.
“The task force recommends establishing separate, secure networks for critical infrastructure; information-sharing through automated threat intelligence distribution; and the use of modern scanning tools and processes for periodic threat assessments. This is all solid Cyberthreat 101 stuff that should have been in place years ago.
The task force has gone so far as to recommend outcome-based market incentives (aka bribes) to encourage CNI owners to invest in state-of-the-art technologies, as though the threat of a cyberattack that will shut down a large section of the electrical grid is not sufficient incentive in itself.”
This is some scary stuff, folks! Whether by cyber-anarchist hacks or state-sponsored attacks, the threat is all too real. (This isn’t the first time I’ve touched on the subject, either. See my “Chinese Sabotage U.S. Military” and “Security Concerns for U.S. Power Grid” posts from years past.)
King also reminds his readers of the Stuxnet malware, which in 2009 “silently accelerated a few hundred Iranian nuclear centrifuges into self-destruction.” More recently, last month’s “Petya virus took down Eastern Europe’s national banks, state power companies, and airports in a demonstration of the effects of a relatively unsophisticated cyberattack on key elements of government infrastructure.” Those are just tastes of what is not only possible but, according to the NIAC and others, looming on the horizon for the U.S.
We have a “narrow and fleeting window of opportunity before a watershed, 9/11-level cyberattack to organize effectively and take bold action”. President Trump has been talking about a national program to improve our infrastructure for a while now, and I hope he takes this report to heart. (Btw, I’m guessing this would fall under the purview of the proposed DoD Chief Information Warfare Officer.) Same goes for Congress, of course, ‘cuz they need to fund it. This should be a bipartisan issue and a “no-brainer” — in other words, perfect for Congress!