In the wake of the ISIS-perpetrated Paris attacks and cyber
threats against the U.K., government agencies are stepping up cybersecurity in
a bid to detect and defend their critical infrastructure against a cyberattack
by ISIS or other hacker groups. At the top of that list is the energy sector.
Cybersecurity leaders from several countries have stated their concerns about a
cyberattack against the power grid, refineries and oil or gas pipelines, and
many of these infrastructures show serious vulnerabilities. For more on these
and other stories that captured our attention last month, see our news roundup
below.
DHS cybersecurity director on avoiding
security vulnerabilities when connecting to the IIoT (Control Design, Nov. 12, 2015)
Marty Edwards, head of the U.S. Industrial Control Systems Cyber
Emergency Response Team (ICS-CERT), recently spoke with Control Design about
security vulnerabilities with IIoT. From unsecured Ethernet on system
processors to using store-bought DSL routers to remotely monitor system remote
facilities to BYOD, vulnerabilities are rampant. Edwards advises control
systems designers to carefully weigh the advantages of connectivity against the
potential risks.
Mixing ERP and production systems:
Oil industry at risk, say infosec bods (TheRegister, Nov. 18, 2015) Security
researchers from ERPScan described at Black Hat Europe how to hack into SAP
systems and launch attacks at and take over industrial control systems in the
oil and gas sector. “…insecure setups might be exploited to interfere with
operational processes and lead to disruptions in production or even sabotage.”
This is possible because there is a connection between the control system
network and the ERP system through a firewall.
Cyberattacks
on infrastructure a 'major threat,' says CSIS chief (CBCNews Canada, Nov.
19, 2015)
Michel Coulombe, director the Canadian Security
Intelligence Service (CSIS), revealed his view that a cyberattack by
ISIS or other extremist groups on the country's "critical
infrastructure" is "a major threat;” however, others point to
major gaps in Canada’s cybersecurity strategy, specifically related o critical
infrastructure, such as pipelines.
Feds
lack method to grade critical infrastructure cybersecurity (The Hill, Nov.
20, 2015)
According to a new report by the Government Accountability
Office (GAO), of the 15 critical infrastructures examined, 12 were overseen by
agencies without proper cybersecurity metrics or formal methods to essential to
protect networks from cyberattacks. These findings may add fuel to the argument
that critical infrastructure industries should be required to share
cybersecurity data with the government.
DARPA
wants early warning system for power-grid cyberattacks (NetworkWorld, Nov
24. 2015)
The Defense Advanced Research Projects Agency (DARPA) announced
the development of a new system designed to support the nation’s electric grid
defenses. Called Rapid Attack Detection, Isolation and Characterization
(RADICS), the system will detect and automatically respond to cyberattacks on U.S.
critical infrastructure. Exact details of what the RADICS system will entail
were not disclosed, but the agency will hold a Proposers
Day on Dec. 14 to detail it further.
If we’ve learned nothing else in this business, it’s that
cyber capabilities evolve slowly. Motive, however, can change in an instant.
For organizations like ISIS, motive is in strong supply and the cyberattack
capabilities necessary to wreak real havoc can be bought. We cannot sit idle
while ISIS or other groups plot against our most critical infrastructures. Our
very way of life depends on them.
For more on how our
better-than-firewalls unidirectional gateway
technology can improve critical infrastructure security, visit our resources page.