Earlier this month, we introduced you to the beginning of a blog series based on impending security threats to our nation’s critical infrastructure establishments. This content has been developed into a list of “Truths” that will help critical infrastructure owners and stakeholders better protect themselves from escalating cyber threats. On January 15th we discussed the first truth, ““Air Gaps” Do Not Provide Infallible Protection Against Cyber Threats and APTS.”
Truth #2: Critical Infrastructure is a prime target
This week, we’ll discuss the why critical infrastructure is a prime target for cyberattacks. As we mentioned before, software vulnerabilities have exposed critical infrastructures to malware and advanced persistent threats (APTs.) Targeted attacks like these first became mainstream with the widely publicized Stuxnet malware.
Stuxnet painted a bulls-eye on critical infrastructure worldwide that will stick for years to come. It provided a how-to guide for anyone wanting to perform cyberattacks on critical infrastructure. Experts warn that it could spawn imitators, of which some will attack U.S. facilities. The ‘security through obscurity’ that critical infrastructure providers have enjoyed for decades is no longer a viable option. Critical infrastructure cybersecurity has received too much attention since the Stuxnet story broke, and good guys and bad guys alike know cyber protection of critical infrastructure is a growth field.
Idaho National Laboratory (INL) is one of the federal government’s main sources of expertise on cybersecurity of critical infrastructure. INL predicts that between 2010 and 2015, critical infrastructure providers will:
|Expand their use of control systems, digital and Internet Protocol (IP) technologies and wireless communications|
|Lag on implementing proper security for those technologies, increasing their overall unprotected exposure to cyber threats|
|Run into much more frequent and complex cyber threats than ever before|
|Serve as guinea pigs for attackers doing their own vulnerability research|
Other factors will continue to make critical infrastructure providers attractive targets for cyberattacks. For instance, it’s notoriously hard, or even impossible, to change usernames and passwords or apply security patches too many ICS and SCADA systems. Consequently, providers’ networks are rife with older vulnerabilities – tempting targets for malicious hackers who then don’t have to incur high costs to develop exploits for undiscovered weaknesses.
What’s more, successful cyberattacks on critical infrastructure will continue because Stuxnet proved such attacks could have profound economic and political ramifications – either by causing disasters on their own or multiplying the severity of existing crises.
Next week, we’ll discuss why no organization, big or small, can keep up with the onslaught of advanced attacks.