Last week, the U.S. Department of Homeland Security issued a warning stating that there was a heightened risk of a cyberattack on private U.S. companies that provide critical infrastructure services in the country.
In the memo, which was issued by the department's Industrial Control Systems Cyber Emergency Response Team on a restricted computer network, officials warned of "increasing hostility" against "U.S. critical infrastructure organizations" that could result in the disruption of "control processes," such as the operations of chemical, electric and water plants.
The Washington Post's Ellen Nakashima reports:
DHS officials did not provide details on the nature of the latest threat, but there has been renewed concern among government and industry officials about cyber-activity out of the Middle East, particularly Iran.
"There have been oil and gas companies that have seen increased activity out of Iran — not just U.S. but overseas companies," said one industry official who was not authorized to speak for the record.
This week, a report from the New York Times sheds a bit more light on the basis for the warning. U.S. infrastructure companies, particularly those involved in energy, have indeed seen an increase in attacks, David Sanger and Nicole Perlroth report:
The attacks appeared to be probes, looking for ways to seize control of their processing systems. The attacks are continuing, officials said. But two senior administration officials said Sunday that they were still not certain exactly where the attacks were coming from, or whether they were state-sponsored or the work of hackers or criminals.
That concern is not unprecedented: last year, oil and gas outfit Saudi Aramco was hit, but not especially disrupted, by a cyberattack. My CNET colleague Elinor Mills wrote then that "The primary enterprise systems of hydrocarbon exploration and production were unaffected because they are kept on isolated network systems."
The U.S. government has certainly been doing its part, purchasing loads of malware in an attempt to fight fire with fire, a strategy that some call foolish and others call proactive. But the logistical challenge is obvious: as more systems that are critical to U.S. infrastructure operations are privatized (and digitized), it will become more difficult for the federal government's cyberdefense teams to do their jobs.
It's this point, the twelfth and final one in the National Security Council's "Comprehensive National Cybersecurity Initiative," that's the most pertinent:
The U.S. Government depends on a variety of privately owned and operated critical infrastructures to carry out the public's business. In turn, these critical infrastructures rely on the efficient operation of information systems and networks that are vulnerable to malicious cyber threats.
Thus, the age-old problem: if you're a company that needs to ensure a given standard through your entire supply chain, how do you find the leverage to achieve your goal?
The NSC's initiative, first announced in 2009, calls for recommendations and a plan of action; four years later, it's clear that this is already being tested. Because if the electrical grid goes offline along the Northeast Corridor, or the entire Bay Area cellular network goes down, to whom do you turn?
Photo illustration: Andrew Nusca, based on the original by Jennifer Boyer/Flickr