December news roundup: Aging infrastructure and foreign hackers mark the end of 2015

December’s cybersecurity news further illustrated the reality that foreign state hackers are targeting U.S. critical infrastructure. Of greater concern is the fact that much of our infrastructure security is inadequate to protect against a targeted attack. With outdated security and the growing adoption of the Industrial Internet of Things (IIoT), power grids, dams and other critical infrastructure are at increased risk of a successful network intrusion. Will recent legislation provide the protections needed to improve cybersecurity for critical infrastructure, or is it too little, too late? Read on to learn more about the news and events that capped 2015 and set the tone for the New Year.

Cyber protection a priority for GPS (The Hill, Dec. 4, 2015)

To most, GPS is a useful technology that helps us navigate unfamiliar roads, but GPS has become the backbone of our virtual infrastructure. It is widely used in military operations and controls and provides critical timing functions to ensure control over our power infrastructure. And, according to USAF Col. Brian Searcy (ret.), our global positioning system is a prime target for cybercriminals or nation state adversaries.

House unanimously passes bill boosting resources to fight cybercrime (The Hill, Dec. 10, 2015)

The House unanimously passed a bill to provide state and local governments with federal resources to fight cybercrime. The bill would direct the Department of Homeland Security’s (DHS) cyber hub — known as the National Cybersecurity and Communications Integration Center (NCCIC) — to provide state and local governments with technical training and strategic guidance to help bolster their cyber defenses. The bill is now awaiting a vote in the Senate.

Amit Yoran’s predictions for 2016 (RSA, Dec. 11, 2015)

RSA president, Amit Yoran, shared his insights and outlook for the security landscape in 2016. Of note, Yoran believes a critical breach of an ICS network is increasingly likely to occur in 2016. As we at Waterfall have cautioned for years, many ICS security systems are inadequate to prevent against targeted cyberattacks. And now as IIoT, remote access and automated workflows gain adoption within these critical networks, they are growing increasingly vulnerable to outside attacks. And, as Yoran notes, the potential impact of bringing down a power facility or water treatment plant is an attractive proposition for those who wish to do us harm.

AP Investigation: US power grid vulnerable to foreign hacks (Dec.21, 2015)

The results of a year-long investigation by the Associated Press, underscore the very real concerns security experts have been warning about for years: foreign hackers are targeting U.S. critical infrastructures, with some success. According to the AP report, about a dozen times in the last decade, sophisticated foreign hackers have gained enough remote access to control power grid operations networks.

Former official: Iranians hacked into New York dam (CNN, Dec. 22, 2015)

According to a former official the hack of Bowman Avenue Dam near Rye Brook, New York in 2013, was a test by Iranian hackers who managed to get control of the dam’s floodgates. News of the attack highlights a growing concern among security experts about the susceptibility of infrastructure operated by outdated or retrofit technology. Until owners of critical infrastructure commit to upgrading their security posture, they will remain vulnerable to these foreign state hacker groups.

From our perspective, any legislation that moves cybersecurity preparedness forward for all industrial control networks is a good thing, but its success depends on complete support from the private sector, including privately owned critical infrastructure. Thus far, the response on the part of many executives has the cybersecurity experts at Waterfall concerned, particularly given the recent evidence that current IT-based security has been repeatedly compromised. At Waterfall, we remain dedicated to educating the market on these vulnerabilities and the dire need for hardware enforced unidirectional gateways.

To learn more about the risks facing industrial control security networks, visit our resources page.