Last month the U.S. Department of Homeland Security issued alerts warning that a group of unidentified hackers is in the process of an ongoing cyber attack on U.S. gas pipeline companies. The DHS alerts indicated that the hackers are using a technique called “spear-phishing” to steal passwords with the aim of accessing pipeline control systems.
To get a better feel for the actual threat these attacks represent for critical infrastructure here in the United States, I reached out to George Waller, co-founder of StrikeForce Technologies Inc., a provider of out-of-band authentication, keystroke encryption and mobile security to prevent online identity theft and data breaches. Mr. Waller had some pretty unsettling information to share—so much so that I’m left wondering if it’s just a matter of time before a large-scale cyber attack brings our critical infrastructure information systems to a shuttering halt (or worse). Below are some excerpts from my conversation with Mr. Waller. If you have comments or thoughts about the state of industrial cyber security, I encourage you to visit the “Flow Control Magazine” group on LinkedIn to join in on our cyber security discussion.
Q: Why are U.S. pipeline companies a particularly attractive target for cyber attacks?
A: If a hacker was to gain access into a corporate network that controlled vital industrial control processes, those systems, if infiltrated, could allow hackers to manipulate pressure and other control system settings, potentially reaping explosions or other dangerous conditions.
Q: How prepared are U.S. pipeline companies (and industry in general) to protect themselves against the threat of cyber attacks?
A: Not prepared enough, as evidenced in the recent Verizon and Symantec Breach reports. Organizations of all sizes are under attack, and the passive-reactive technologies that they are using to protect themselves are no match for today’s sophisticated hacker.
Q: What should pipeline and industrial companies in general be doing to protect themselves against cyber attacks in the near term?
A: They need to look at the facts and address the issues; the recent Verizon Breach report, which is very comprehensive, zeros in on the main attack vectors. Organizations must protect the two highly targeted areas that account for the majority of breaches and data losses, they must protect from “Data & Credential Loss” by using keystroke encryption, and they must protect from unwanted remote access.
Q: Looking further down the road, how concerned should U.S. Industry be about cyber attacks and what should industry be doing to limit the threat of cyber attacks?
A: U.S. industries should be very concerned. Cyber attacks are growing by the day, and it’s only a matter of time until a cyber attack hurts or kills innocent people. Data loss protection and remote access authentication need to be established as critical protection points; and if industries cannot agree to self-monitor, then the government needs to establish a regulatory commission, such as with the nuclear industry.
Q: Do you believe there will be legislative mandates requiring a certain level of cyber security for critical infrastructure companies operating in the U.S.?
A: Yes. It is our experience that until an organization is held accountable by a set of regulations or mandates, they will rarely go beyond the minimum prevention. However, having a mandate and not enforcing it is like not having one at all. If you are going to impose a mandate/regulation, then you must police it, and hold people accountable for noncompliance.