Risk
10/12/2012
11:11 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

DOD: Hackers Breached U.S. Critical Infrastructure Control Systems

Defense secretary Leon Panetta says cyberattacks against critical infrastructure at home and abroad--some of which he called the worst to date--should spark urgent action against the hacker threat.

14 Amazing DARPA Technologies On Tap
14 Amazing DARPA Technologies On Tap
(click image for larger view and for slideshow)
Hackers have infiltrated the control systems of U.S. critical infrastructure--systems that operate chemical, electricity, and water plants--and the need to develop new cyber capabilities and put in place effective policy to fight and deter attacks is as urgent as ever, secretary of Defense Leon Panetta said in a speech Thursday night.

"We know of specific instances where intruders have successfully gained access to these control systems," Panetta said in a speech to the Business Executives for National Security in New York City. "We also know that they are seeking to create advanced tools to attack these systems and cause panic and destruction and even the loss of life."

In his remarks, Panetta confirmed several recent cyber attacks against Saudi and Qatari energy companies that used the sophisticated Shamoon virus, calling the attacks "the most destructive that the private sector has seen to date." As Panetta noted, the Shamoon attacks "virtually destroyed" 30,000 computers owned by the Saudi oil company Aramco. "Imagine the impact an attack like that would have on your company or your business," he added.

Warning of more destructive attacks that could cause loss of life if successful, Panetta urged Congress to pass comprehensive legislation in the vein of the Cybersecurity Act of 2012, a bill co-sponsored by Sens. Joe Lieberman, I-Conn., Susan Collins, R-Maine, Jay Rockefeller, D-W.Va., and Dianne Feinstein, D-Calif., that failed to pass in its first attempt earlier this year by losing a cloture vote in the Senate.

[ Among many competing priorities in a tight budget, Cybersecurity Tops Federal IT Priorities List. ]

"Congress must act and it must act now," he said. "This bill is victim to legislative and political gridlock like so much else in Washington. That frankly is unacceptable and it should be unacceptable not just to me, but to you and to anyone concerned with safeguarding our national security."

Specifically, Panetta called for legislation that would make it easier for companies to share "specific threat information without the prospect of lawsuits" but while still respecting civil liberties. He also said that there must be "baseline standards" co-developed by the public and private sector to ensure the cybersecurity of critical infrastructure IT systems. The Cybersecurity Act of 2012 contained provisions that would arguably fit the bill on both of those accounts.

While Panetta said that "there is no substitute" for legislation, he noted that the Obama administration has been working on an executive order on cybersecurity as an end-around on Congress. "We need to move as far as we can" even in the face of Congressional inaction, he said. "We have no choice because the threat that we face is already here."

He added that the DOD has three priorities for improving its own ability to combat cyber attacks: investing more than $3 billion annually in cybersecurity to develop new capabilities, including recruiting and training new cyber warfare soldiers and developing new systems and techniques; pushing forward with new policy, including new cyber rules of engagement that are close to being finalized; and working ever closer with the private sector and other parts of government.

Although Panetta may have urged further action, he was also quick to point out that some gains have been made. For example, he said that the military had developed "the world's most sophisticated system to detect cyber intruders and attackers" and that other agencies had also stepped up to the plate.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
10/22/2012 | 7:51:33 PM
re: DOD: Hackers Breached U.S. Critical Infrastructure Control Systems
I have never read anything which referred to SCADA equipment as being anything other than interconnected permitting control from a distance (in other words they must transfer data between themselves using known methods). The concept of the SmartGrid itself is founded on interconnectivity and independence being able to regulate services on environmental conditions. Think of your water and electrical meters that now transmit consumption to the central office without the "meter readers" making their rounds but also smart houses where your appliances can be controlled through the internet and as usual the focus is on convenience and cost reduction not security in development. Anonymous and similar groups may now focus on nuisance DDoS activity, but as there is a market for avoiding telephone usage fees (Magic Jack) there will be a market for solutions to reduce or eliminate energy and utilities consumption.
PJS880
50%
50%
PJS880,
User Rank: Ninja
10/16/2012 | 7:12:20 AM
re: DOD: Hackers Breached U.S. Critical Infrastructure Control Systems
I though that these particular infrastructure were, or definitely should be, impenetrable by security breeches. These plants are our electric, water and various other necessities that we as Americans use on a daily basis. You can bet your bottom dollar that these services go down for any reason it would cause mass panic and no doubt there would be people hurt within the panic that takes place. These precautionary measures and disaster recovery plans need to put into play way before one of these actual attacks occurred. If hackers can gain access to and actual gain control of these systems for the sole purpose of causing disaster, then what is next?

Paul Sprague
InformationWeek Contributor
Verdumont Monte
50%
50%
Verdumont Monte,
User Rank: Apprentice
10/12/2012 | 5:40:32 PM
re: DOD: Hackers Breached U.S. Critical Infrastructure Control Systems
I thought all these "Critical" infrastructure components are not connected to internet.. What happened??
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3341
Published: 2014-08-19
The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 and 6000 devices provides different error messages for invalid requests depending on whether the VLAN ID exists, which allows remote attackers to enumerate VLANs via a series of requests, aka Bug ID CSCup85616.

CVE-2014-3464
Published: 2014-08-19
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers ...

CVE-2014-3472
Published: 2014-08-19
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

CVE-2014-3490
Published: 2014-08-19
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have...

CVE-2014-3504
Published: 2014-08-19
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.