X

Ultra Electronics 3eTi

When a Former “Anonymous” Hacker Says US Critical Infrastructure May be Next, It’s Time to Listen

December 9th, 2014 / By

Severe security issues have dominated recent news cycles, alarming global audiences and impacting sectors that usually have little in common when it comes to headlines. The Senate Intelligence Committee’s report on CIA interrogation techniques is now at the fore, with the US military on high alert as a result. In the same 48-hour window, CBS carried Charlie Rose’s interview of the “Anonymous” hacker known as Sabu issuing dire warnings of our nation’s extreme vulnerability to attacks targeting critical infrastructure.

Sabu, AKA Hector Monsegur, now works as an FBI mole. As CBS pointed out, Monsegur’s “talent and keen eye highlighted vulnerabilities in the critical systems that keep America online — threats he said still exist.”

“In all reality there is no security,” Monsegur said. “Hackers could break right into the airport, the phone systems, obviously, the water supply systems — shut them down.” He added that this frightening and very real vulnerability “should be an inspiration to the American government to take action and focus on the country’s infrastructure.” He continued that the country’s top decision makers rely overly on contractors that employ specialists like Edward Snowden. That reliance, as has been amply demonstrated to near devastating effect, does not produce reliably cyber-hardened systems.

As Monsegur pointed out to CBS, “Who will guard the guards, Charlie? Our security, the people we pay for, the people we hire with tax dollars — are not really secure themselves.”

LinkedIn group Critical Infrastructure Protection has fielded dialog on this issue, with a post by Patrick Coyle. His blog, Chemical Facility Security News, features a post considering the ramifications and implications had the recent hacker attacks on Sony been carried out on a chemical plant. In the LinkedIn post, Patrick replied to a comment on decision-maker inattention to the risk:

“The decision makers are not taking it seriously because they don’t understand the potential extent of the problem. The computer guys don’t understand the potential chemical consequences and the chemical guys don’t understand the degree of vulnerability of their systems. And the business guys just plain don’t understand.”

My team and I work diligently every day to sound the alarm on our vulnerable infrastructure. The voluntary process and systems for protecting industrial networks fall short of comprehensively securing the systems and controllers that manage critical processes. These include computer-directed commands that control, for example, filtration, ventilation, generation, combustion and emission. In the case of the latter, interference with controls handling volatile organic compounds can result in deadly releases of carbon monoxide, nitrogen oxides, formaldehyde and other deadly emissions.

The federal government recommends “defense-in-depth” measures that place multiple layers of security controls throughout a system. The intent is to establish redundancy should a security control fail or a vulnerability be exploited.

Maybe it’s time for these recommendations to become directives, even if it is shareholders and boards of directors, rather than the government, laying down the law. Every week we seem to see showcased new levels of innovation in cyber-attacks that ever more tenaciously hurt people, harm businesses, and basically make a mockery of our expensive firewalls.

It’s high time this level of innovation and tenacity be equaled and exceeded by the stewards of our nation’s critical services.