Magazine article Risk Management

The Digital Threat: Cyberattacks Put Critical Infrastructure under Fire

Magazine article Risk Management

The Digital Threat: Cyberattacks Put Critical Infrastructure under Fire

Article excerpt

The growing number of cyberattacks has become one of the most serious economic and national security threats facing companies and governments. And while the headlines have focused on data breaches at organizations including Sony, the International Monetary Fund, Lockheed Martin, Google, Citigroup and the Arizona Department of Public Safety, U.S. infrastructure is also susceptible to attacks.

Critical infrastructure operators have to be on the offensive against cybercriminals no matter whether they oversee stock markets, power grids, railways, nuclear plants, water supplies, health care facilities, chemical plants, telecommunications or research laboratories. All are prime targets for hackers.

Sophisticated exploits such as Stuxnet, a computer worm that targeted nuclear power plant operators in the summer of 2010, and an April attack on Oak Ridge National Laboratory, a U.S. Energy Department facility that studies nuclear fusion and hosts one of the nation's super computers, are just the tip of the iceberg. A recent survey conducted by McAfee and the Center for Strategic and International Studies revealed that 80% of critical infrastructure operators have faced threats ranging from denial-of-service attacks to extortion to advanced persistent attacks.

Government cybersecurity experts who testified in front of the House of Representatives' Energy and Commerce Subcommittee on Oversight in July further highlighted the concern, asserting that the country is lagging in its effort to beef up IT security. According to witness statements by senior cyberdefense personnel from the Department of Homeland Security (DHS) and the Government Accountability Office, the government's efforts to safeguard military and private-sector networks deemed to be part of the country's critical infrastructure are far behind schedule. Only two of 24 recommendations from the Obama administration's "Cyberspace Policy Review" have been implemented since its release in May 2009. Progress has been slow because federal agencies struggle to clearly define roles and responsibilities, according to the experts. Furthermore, DHS needs to improve its analysis and warning capabilities to be able to respond to threats.

In addition, the witnesses voiced their concerns about critical industrial systems being able to fend off Stuxnet. According to Sean McGurk, director of DHS' National Cyber-security and Communications Integration Center, it was questionable if all of the approximately 300 companies using the Siemens systems that Stuxnet could compromise had implemented the recommended security precautions to guard against the worm. Others have similar fears. Within DHS, many worry that other attackers can use "increasingly public information" about the worm to launch variants that would target other industrial control systems.

Similar concerns came from U.S. Cyber Command head General Keith Alexander, who stated at his confirmation hearing that "the Department of Defense requires a focused approach to secure its own networks, given our military's dependence on them for command and control, logistics and military operations." Gen. Alexander emphasized that one of his priorities as the new head of the nation's cyberdefense would be building the capacity, the capability and the critical partnerships required to secure operational networks. (See "Hacking the Military," page 30).

ATTACKER PROFILES

With the re-emergence of "grey hat" hackers, a term that includes the high-profile groups LulzSec and Anonymous and describes those motivated by activism or an anti-security ideal, critical infrastructure providers are facing a far larger pool of combatants than they had to confront just 12 months ago. With the radicalization of the activist movement over the past few years, this group of hackers represents a serious threat to critical infrastructure providers. Anti-nuclear activists, for example, could attempt to disrupt a nuclear power plant to engender fear among citizens and exploit the ensuing media coverage for their own purposes. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.