Risk
10/12/2012
11:11 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

DOD: Hackers Breached U.S. Critical Infrastructure Control Systems

Defense secretary Leon Panetta says cyberattacks against critical infrastructure at home and abroad--some of which he called the worst to date--should spark urgent action against the hacker threat.

14 Amazing DARPA Technologies On Tap
14 Amazing DARPA Technologies On Tap
(click image for larger view and for slideshow)
Hackers have infiltrated the control systems of U.S. critical infrastructure--systems that operate chemical, electricity, and water plants--and the need to develop new cyber capabilities and put in place effective policy to fight and deter attacks is as urgent as ever, secretary of Defense Leon Panetta said in a speech Thursday night.

"We know of specific instances where intruders have successfully gained access to these control systems," Panetta said in a speech to the Business Executives for National Security in New York City. "We also know that they are seeking to create advanced tools to attack these systems and cause panic and destruction and even the loss of life."

In his remarks, Panetta confirmed several recent cyber attacks against Saudi and Qatari energy companies that used the sophisticated Shamoon virus, calling the attacks "the most destructive that the private sector has seen to date." As Panetta noted, the Shamoon attacks "virtually destroyed" 30,000 computers owned by the Saudi oil company Aramco. "Imagine the impact an attack like that would have on your company or your business," he added.

Warning of more destructive attacks that could cause loss of life if successful, Panetta urged Congress to pass comprehensive legislation in the vein of the Cybersecurity Act of 2012, a bill co-sponsored by Sens. Joe Lieberman, I-Conn., Susan Collins, R-Maine, Jay Rockefeller, D-W.Va., and Dianne Feinstein, D-Calif., that failed to pass in its first attempt earlier this year by losing a cloture vote in the Senate.

[ Among many competing priorities in a tight budget, Cybersecurity Tops Federal IT Priorities List. ]

"Congress must act and it must act now," he said. "This bill is victim to legislative and political gridlock like so much else in Washington. That frankly is unacceptable and it should be unacceptable not just to me, but to you and to anyone concerned with safeguarding our national security."

Specifically, Panetta called for legislation that would make it easier for companies to share "specific threat information without the prospect of lawsuits" but while still respecting civil liberties. He also said that there must be "baseline standards" co-developed by the public and private sector to ensure the cybersecurity of critical infrastructure IT systems. The Cybersecurity Act of 2012 contained provisions that would arguably fit the bill on both of those accounts.

While Panetta said that "there is no substitute" for legislation, he noted that the Obama administration has been working on an executive order on cybersecurity as an end-around on Congress. "We need to move as far as we can" even in the face of Congressional inaction, he said. "We have no choice because the threat that we face is already here."

He added that the DOD has three priorities for improving its own ability to combat cyber attacks: investing more than $3 billion annually in cybersecurity to develop new capabilities, including recruiting and training new cyber warfare soldiers and developing new systems and techniques; pushing forward with new policy, including new cyber rules of engagement that are close to being finalized; and working ever closer with the private sector and other parts of government.

Although Panetta may have urged further action, he was also quick to point out that some gains have been made. For example, he said that the military had developed "the world's most sophisticated system to detect cyber intruders and attackers" and that other agencies had also stepped up to the plate.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
10/22/2012 | 7:51:33 PM
re: DOD: Hackers Breached U.S. Critical Infrastructure Control Systems
I have never read anything which referred to SCADA equipment as being anything other than interconnected permitting control from a distance (in other words they must transfer data between themselves using known methods). The concept of the SmartGrid itself is founded on interconnectivity and independence being able to regulate services on environmental conditions. Think of your water and electrical meters that now transmit consumption to the central office without the "meter readers" making their rounds but also smart houses where your appliances can be controlled through the internet and as usual the focus is on convenience and cost reduction not security in development. Anonymous and similar groups may now focus on nuisance DDoS activity, but as there is a market for avoiding telephone usage fees (Magic Jack) there will be a market for solutions to reduce or eliminate energy and utilities consumption.
PJS880
50%
50%
PJS880,
User Rank: Ninja
10/16/2012 | 7:12:20 AM
re: DOD: Hackers Breached U.S. Critical Infrastructure Control Systems
I though that these particular infrastructure were, or definitely should be, impenetrable by security breeches. These plants are our electric, water and various other necessities that we as Americans use on a daily basis. You can bet your bottom dollar that these services go down for any reason it would cause mass panic and no doubt there would be people hurt within the panic that takes place. These precautionary measures and disaster recovery plans need to put into play way before one of these actual attacks occurred. If hackers can gain access to and actual gain control of these systems for the sole purpose of causing disaster, then what is next?

Paul Sprague
InformationWeek Contributor
Verdumont Monte
50%
50%
Verdumont Monte,
User Rank: Apprentice
10/12/2012 | 5:40:32 PM
re: DOD: Hackers Breached U.S. Critical Infrastructure Control Systems
I thought all these "Critical" infrastructure components are not connected to internet.. What happened??
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0607
Published: 2014-07-24
Unrestricted file upload vulnerability in Attachmate Verastream Process Designer (VPD) before R6 SP1 Hotfix 1 allows remote attackers to execute arbitrary code by uploading and launching an executable file.

CVE-2014-1419
Published: 2014-07-24
Race condition in the power policy functions in policy-funcs in acpi-support before 0.142 allows local users to gain privileges via unspecified vectors.

CVE-2014-2360
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules allow remote attackers to execute arbitrary code via packets that report a high battery voltage.

CVE-2014-2361
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules, when BreeZ is used, do not require authentication for reading the site security key, which allows physically proximate attackers to spoof communication by obtaining this key after use of direct hardware access or manual-setup mode.

CVE-2014-2362
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.