December news roundup: Aging infrastructure and foreign hackers mark the end of 2015

December’s cybersecurity news further illustrated the reality that foreign state hackers are targeting U.S. critical infrastructure. Of greater concern is the fact that much of our infrastructure security is inadequate to protect against a targeted attack. With outdated security and the growing adoption of the Industrial Internet of Things (IIoT), power grids, dams and other critical infrastructure are at increased risk of a successful network intrusion. Will recent legislation provide the protections needed to improve cybersecurity for critical infrastructure, or is it too little, too late? Read on to learn more about the news and events that capped 2015 and set the tone for the New Year.

Cyber protection a priority for GPS (The Hill, Dec. 4, 2015)

To most, GPS is a useful technology that helps us navigate unfamiliar roads, but GPS has become the backbone of our virtual infrastructure. It is widely used in military operations and controls and provides critical timing functions to ensure control over our power infrastructure. And, according to USAF Col. Brian Searcy (ret.), our global positioning system is a prime target for cybercriminals or nation state adversaries.

House unanimously passes bill boosting resources to fight cybercrime (The Hill, Dec. 10, 2015)

The House unanimously passed a bill to provide state and local governments with federal resources to fight cybercrime. The bill would direct the Department of Homeland Security’s (DHS) cyber hub — known as the National Cybersecurity and Communications Integration Center (NCCIC) — to provide state and local governments with technical training and strategic guidance to help bolster their cyber defenses. The bill is now awaiting a vote in the Senate.

Amit Yoran’s predictions for 2016 (RSA, Dec. 11, 2015)

RSA president, Amit Yoran, shared his insights and outlook for the security landscape in 2016. Of note, Yoran believes a critical breach of an ICS network is increasingly likely to occur in 2016. As we at Waterfall have cautioned for years, many ICS security systems are inadequate to prevent against targeted cyberattacks. And now as IIoT, remote access and automated workflows gain adoption within these critical networks, they are growing increasingly vulnerable to outside attacks. And, as Yoran notes, the potential impact of bringing down a power facility or water treatment plant is an attractive proposition for those who wish to do us harm.

AP Investigation: US power grid vulnerable to foreign hacks (Dec.21, 2015)

The results of a year-long investigation by the Associated Press, underscore the very real concerns security experts have been warning about for years: foreign hackers are targeting U.S. critical infrastructures, with some success. According to the AP report, about a dozen times in the last decade, sophisticated foreign hackers have gained enough remote access to control power grid operations networks.

Former official: Iranians hacked into New York dam (CNN, Dec. 22, 2015)

According to a former official the hack of Bowman Avenue Dam near Rye Brook, New York in 2013, was a test by Iranian hackers who managed to get control of the dam’s floodgates. News of the attack highlights a growing concern among security experts about the susceptibility of infrastructure operated by outdated or retrofit technology. Until owners of critical infrastructure commit to upgrading their security posture, they will remain vulnerable to these foreign state hacker groups.

From our perspective, any legislation that moves cybersecurity preparedness forward for all industrial control networks is a good thing, but its success depends on complete support from the private sector, including privately owned critical infrastructure. Thus far, the response on the part of many executives has the cybersecurity experts at Waterfall concerned, particularly given the recent evidence that current IT-based security has been repeatedly compromised. At Waterfall, we remain dedicated to educating the market on these vulnerabilities and the dire need for hardware enforced unidirectional gateways.

To learn more about the risks facing industrial control security networks, visit our resources page.

2016 predictions for industrial cybersecurity

The threat of terrorism is top of mind for many, and of increasing concern to those tasked with protecting industrial control systems (ICS). ISIS has issued threats against the North American electric grid, for example. While the cyber capability of ISIS is thus far unsophisticated, advanced attack capabilities are readily purchased.

Other security challenges will be the topic of heated debate. FERC has requested comments regarding supply chain integrity and remote access rules. The Industrial Internet of Things (IIoT) is gaining steam as well, especially control system vendor “remote monitoring and diagnostics” services that concentrate many control system VPN connections deep in the hands of a small number of vendors.

Part of the reason that we continue to see large amounts of malware coming out of organized crime is that those groups have developed systems to reliably monetize stolen financial credentials. Volatile oil, gas and refined goods prices are producing opportunities to reliably monetize cyber sabotage.

My top security predictions/topics for 2016:

1. ISIS will buy sophisticated attack capabilities and launch a credible attack on the North American power grid.
2. FERC will order NERC to produce additional security controls to address the threat of cyber-supply-chain and ”cloud vendor” systems able to sabotage hundreds of critical infrastructure sites in one blow.
3. There will be reports of a criminal group launching cybersabotage attacks against refineries or pipelines in order to “game” commodities markets.
4. The security focus for the Industrial Internet of Things will shift away from privacy and encryption and over to protecting the safety and reliability of large, complex, and highly-connected industrial sites.

One way or another 2016 will be a challenge for all of us.

If you’re attending Digital Bond’s S4x16 conference in Miami, January 12-14, contact us to set up a meeting.

November news roundup: Why the energy sector is at the heart of cybersecurity discussions

In the wake of the ISIS-perpetrated Paris attacks and cyber threats against the U.K., government agencies are stepping up cybersecurity in a bid to detect and defend their critical infrastructure against a cyberattack by ISIS or other hacker groups. At the top of that list is the energy sector. Cybersecurity leaders from several countries have stated their concerns about a cyberattack against the power grid, refineries and oil or gas pipelines, and many of these infrastructures show serious vulnerabilities. For more on these and other stories that captured our attention last month, see our news roundup below. 

DHS cybersecurity director on avoiding security vulnerabilities when connecting to the IIoT (Control Design, Nov. 12, 2015)

Marty Edwards, head of the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), recently spoke with Control Design about security vulnerabilities with IIoT. From unsecured Ethernet on system processors to using store-bought DSL routers to remotely monitor system remote facilities to BYOD, vulnerabilities are rampant. Edwards advises control systems designers to carefully weigh the advantages of connectivity against the potential risks.

Mixing ERP and production systems: Oil industry at risk, say infosec bods (TheRegister, Nov. 18, 2015) Security researchers from ERPScan described at Black Hat Europe how to hack into SAP systems and launch attacks at and take over industrial control systems in the oil and gas sector. “…insecure setups might be exploited to interfere with operational processes and lead to disruptions in production or even sabotage.” This is possible because there is a connection between the control system network and the ERP system through a firewall.

Cyberattacks on infrastructure a 'major threat,' says CSIS chief (CBCNews Canada, Nov. 19, 2015)

Michel Coulombe, director the Canadian Security Intelligence Service (CSIS), revealed his view that a cyberattack by ISIS or other extremist groups on the country's "critical infrastructure" is "a major threat;” however, others point to major gaps in Canada’s cybersecurity strategy, specifically related o critical infrastructure, such as pipelines.

Feds lack method to grade critical infrastructure cybersecurity (The Hill, Nov. 20, 2015)

According to a new report by the Government Accountability Office (GAO), of the 15 critical infrastructures examined, 12 were overseen by agencies without proper cybersecurity metrics or formal methods to essential to protect networks from cyberattacks. These findings may add fuel to the argument that critical infrastructure industries should be required to share cybersecurity data with the government.

DARPA wants early warning system for power-grid cyberattacks (NetworkWorld, Nov 24. 2015)

The Defense Advanced Research Projects Agency (DARPA) announced the development of a new system designed to support the nation’s electric grid defenses. Called Rapid Attack Detection, Isolation and Characterization (RADICS), the system will detect and automatically respond to cyberattacks on U.S. critical infrastructure. Exact details of what the RADICS system will entail were not disclosed, but the agency will hold a Proposers Day on Dec. 14 to detail it further.

If we’ve learned nothing else in this business, it’s that cyber capabilities evolve slowly. Motive, however, can change in an instant. For organizations like ISIS, motive is in strong supply and the cyberattack capabilities necessary to wreak real havoc can be bought. We cannot sit idle while ISIS or other groups plot against our most critical infrastructures. Our very way of life depends on them.

For more on how our better-than-firewalls unidirectional gateway technology can improve critical infrastructure security, visit our resources page.