Cyberattacks have already impacted public infrastructure in other countries and it's only a matter of time until a similar attack results in a major catastrophe disrupting crucial services in the United States, according to IoT security experts.
"I think that it's definitely not a matter of if, it's a matter of when," said Zulfikar Ramzan, CTO of RSA and former chief scientist of Sourcefire. Ramzan is also the co-author of Crimeware: Understanding New Attacks and Defenses.
Public infrastructure refers to whatever is critical to keep society functioning, from utilities and water to hospitals, transportation and public safety. This infrastructure can be part of either the public or private sector, such as with financial services, hospitals and pharmaceutical companies. If any part of this structure is attacked, it could lead to an unprecedented crisis.
Overall, industrial control systems (ICS) incidents, as these type of attacks are known, are on the rise. The number of incidents reported to U.S. authorities increased 17 percent in 2015, with 295 incidents, according to the U.S. Department of Homeland Security ICS Cyber Emergency Response Team (ICS-CERT).
"This is a near-term threat that we need awareness about. We need to be prepared. From a general industry perspective, we see these industries taking a very compliance-driven approach. I draw direct parallels to what we've seen in enterprise security. Ten years ago everyone was taking a checklist compliance certification and accreditation and that gave them a false sense of security," said Brad Medairy, senior vice president at Booz Allen Hamilton and a leader of the firm's Strategic Innovation Group (SIG) and Predictive Intelligence business. "I see that today on the operational technology side, which is compliance driven and it's just a matter of time before sophisticated adversaries with malicious intent start to compromise that."
Ports, dams, railways, pharmaceutical manufacturers and utilities are at a high risk, along with supply chain problems within the manufacturing sector. "I think manufacturing in the near term is certainly at risk. I think that we're going to start to see potential ransomware, supply chain attacks and disruptions," Medairy said.
Tim Herbert, senior vice president of research and market intelligence for CompTIA, said, "I think today anything that is connected is a target. We have seen the trend over time that with many of the motivations for targeting, whether it's a business or infrastructure, is that there's much more of a monetary motivation, whether there's an expectation to extract funds via ransomware or a way to steal data to be able to monetize that in some way."
Ransoming the power grid is an inevitable attack, Herbert said, adding, "governments are really struggling to try to reconcile some of these challenges and what to do, such as not jumping to conclusions -- especially when it's so easy to create an attack and make it seem like it's coming from another country. We know an attack is coming, it's just a matter of what the degree and the intensity of it is."
Other countries have already suffered at the hands of cunning cybercriminals hacking into the public infrastructure:
- In December last year, more than 225,000 customers in the Ukraine experienced a blackout on a cold winter's day as the result of remote intrusions at three regional electric power distribution companies. Hackers thought to be associated with Russia were blamed for the attack that used malware to attack and destroy data on hard drives and flood phone lines with a denial-of-service attack, according to a U.S. Homeland Security report.
- North Korea has been tied to three separate reconnaissance attacks on South Korea's light rail operators, stealing information pertaining to critical systems such as speed and safety controls, according to a report by Booz Allen Hamilton.
- A nuclear power plant in Germany was infected with malware as the result of employees bringing in USB flash drives from the outside. And malware was found in the control room of a Japanese nuclear reactor.
People in the U.S. have more of a tendency to wait until something happens here to be concerned about the risk, according to Scott Montgomery, CTO of Intel Security for the public sector.
"Our way here is to wait until our nose is rubbed in it before we do a lot to be proactive. Imagine if the 200,000 had been in Pittsburgh, Pennsylvania rather than the Ukraine. You might not have even covered the Ukraine incident. But imagine if it happened in Pittsburgh -- we'd still be talking about it," Montgomery said.
"There are some organizations doing a little bit more because they don't want to be on the front page. The United States Army asked Congress for an additional $200-some million dollars so they could gain power grid independence and become an independent power generator, so they didn't have to rely on the grid at Fort Bragg and Fort Hood respectively. They said if someone turned out the lights in Killeen, Texas it would seriously impact our war fighting ability. We need independence from that," said Montgomery. Fort Hood is located in Killeen, Texas.
Another city that's taking preventative measures is New York, N.Y., which tests water from an aquifer 80 miles away to make sure that nothing has been added to the water supply. By testing so far from the city, they can isolate problems before the water supply reaches the metro area, Montgomery said. "But every municipality doesn't have the wherewithal or the ability to do that," he added.
Despite the belief that critical infrastructure networks can be 'isolated' or 'air gapped,' and cannot be attacked from the outside, hackers always find a touch point between the sensitive operational network and the open IT network, said Daniel Cohen Sason, software engineer manager for Cyberbit. This then "exposes the critical ICS/SCADA networks to external attacks. Since OT networks are based on legacy devices and non-standard protocols, network managers are often unaware of these touch points, which makes the threat of a hack even more likely than it was previously thought to be."
"The effect on public infrastructure could be a power outage, like we saw last year in Ukraine. Or, it could be something more serious like a Chernobyl-style catastrophe at a nuclear plant. The problem we often see is that critical infrastructure network operators are notoriously reluctant to introduce security products into their fragile, legacy networks, which leaves the door open to hackers with malicious intent," Sason said.
There's particular concern among the water supply and dams because there isn't a strong focus on security. "We see some crazy things when we go out and look at client environment in those industries," said Medairy, particularly with employees using traditional IoT devices for their personal use and connecting them to the internet while they're at work.
IoT products as a whole aren't built with enough security in place, according to Matt Scholl, computer security division chief for the National Institute of Standards and Technology (NIST), which produced a report in July on the topic and recommends a framework for improving critical infrastructure cybersecurity.
"It really would be nice if IoT products were built with a least functionality and a security capability as part of them. That would be awesome. And it would be great if us as a market...emphasized and incentivized that to IoT vendors. They will build it, but we have to come," Scholl said. "We need to somehow incentive and reward people who are doing security and reliability and privacy engineering into these products so that they will do it. Rather than waiting for the crisis to happen."
Timo Elliott, vice president and global innovation evangelist for SAP, said, "A lot of the IoT we've been looking at are consumer devices and they're woefully lacking in security because security is hard to set up. It's been an almost deliberate decision by manufacturers to make them easy to hack into."
"Every network is always under attack," Elliott said. "It's important to design these systems to prevent attacks. There will always be tiny cracks you can't find or block, like with bugs in your house. You need an onion approach with more layers."
The key to surviving such an attack is to recognize the reality that it will be impossible to keep every hacker from getting into the front door of an organization's network, Ramzan said.
"We can still prevent them from getting much past the front door, if they get in. The goal of an attacker isn't to compromise an IoT device or a server somewhere for its own sake -- they're after something deeper and more insidious for the attacker. There is time from the entry to the overall breach," Ramzan said, explaining that a company needs to figure out how to minimize that window and quickly detect the hacker to stop them from achieving their main goal, whatever that might be.
Companies spend a disproportionate amount on prevention, and that leaves nothing for dealing with detection and response after there's a breach. With Gartner predicting 6.4 billion connected devices by the end of this year, and upward of 21 billion connected devices by 2020, the risk of a hacker attacking public infrastructure will only get worse with time, Ramzan said.
"The real key in being able to solve that problem is going beyond visibility and coupling that with analytics," he said. "Analytics is about being able to glean meaningful nuggets of insight from that sea of noise. If you can do that intelligently then you can really provide an organization with prioritized lists of what they need to do to reduce their risks as quickly as possible. I call that 'the gap of grief.' Security is no longer an IT concern. It's a CEO board-level concern."