Defending
against the combination of human and technical exploits requires the
collaboration of human and technical security defenses.
Based
on today’s indictment from the U.S. Department of Justice, a group of
hackers working for the government of Iran conducted a targeted
cyberattack in 2013 on the SCADA systems of the Bowman Avenue Dam in Rye
Brook, N.Y. The attackers gained access to the dam’s operational
systems, including temperature information, water levels, and the sluice
gate. Only the fact that the gate had been manually disconnected from
the system for maintenance prevented them from operating the gate.
This event is a reminder of how important it is for us to protect
critical infrastructure, whether at the national, state, local, or
private-sector level. Despite the relatively small size of this
facility, this is a good example of how critical infrastructure is
vulnerable to various actors. We should not look at the size of the
particular body of water, dam, or power distribution facility. Larger
facilities have similar systems, and they are vulnerable to similar
exploits.
Cyberattack and cyber-exploitation tools and expertise are readily
available to those willing to pay for them. An entire underground
cyber-exploitation ecosystem has evolve through which the latest malware
can be rented, including hacker services, to execute attacks. This
magnifies the capabilities of a less-technical entity to launch
sophisticated attacks.
Providers of critical infrastructure are increasingly aware of the
importance of a strong cyberdefense, and most of them have been
investing in this area for the past several years. Critical
infrastructure is composed of many interconnected elements, far more so
than the typical large enterprise, that extend into the physical world.
That means that cyberattacks can potentially damage physical
infrastructure and even threaten lives.
While the level of confidence in security defenses has been
increasing over the last few years in this industry, according to a
recent report on critical infrastructure readiness,
the majority are also being intellectually honest about the ongoing
risks of a serious event actually happening. About half (48%) believe it
is likely that within three years there will be a cyberattack on
critical infrastructure that will result in loss of life. It's mostly
just a matter of resources, motivation, persistence, and opportunity.
Security Industry: Think And Act Differently
The appropriate response to this 3-year-old security breach -- and
every other breach we read about -- is not the latest security gadget or
scapegoat. The fragmented nature of multiple security solutions and the
resulting complexity is part of the problem. Instead, since
cyberattacks have become an ongoing part of our digital lives, we
believe that the security industry, including vendors, partners, and
customers, needs to think and act differently. We need to build a more
complete picture of the real threats and our own security posture by
sharing and collaborating better. That means sharing information in
real-time between different products and services; sharing threat
intelligence among organizations and governments; and collaborating
quickly when threats are identified to protect critical resources and
contain the potential damage.
One of the most interesting aspects of almost every security study we
have done over the past few years is the critical part that human
interactions play in security weaknesses. What we’re seeing in many
industries is a combination of technical vulnerabilities and human ones,
often referred to as “social engineering.” Whether it is a phishing
campaign to steal credentials or social media tricks to increase the
credibility of a malicious attachment, this is often the starting point
to infiltrate the environment and launch a more complex attack.
Defending against this combination of human and technical exploits
requires the collaboration of human and technical security defenses.
Cyberspace has grown essential to every dimension of our lives so we
should assign as much priority to protecting our digital resources as we
do to protecting our physical security. Escalating cybersecurity
tensions, both the breaches themselves and the public concern they
cause, risk fragmenting the infrastructure, hindering innovation, and
limiting the future prospects for technology.