Risk
10/12/2012
11:11 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

DOD: Hackers Breached U.S. Critical Infrastructure Control Systems

Defense secretary Leon Panetta says cyberattacks against critical infrastructure at home and abroad--some of which he called the worst to date--should spark urgent action against the hacker threat.

14 Amazing DARPA Technologies On Tap
14 Amazing DARPA Technologies On Tap
(click image for larger view and for slideshow)
Hackers have infiltrated the control systems of U.S. critical infrastructure--systems that operate chemical, electricity, and water plants--and the need to develop new cyber capabilities and put in place effective policy to fight and deter attacks is as urgent as ever, secretary of Defense Leon Panetta said in a speech Thursday night.

"We know of specific instances where intruders have successfully gained access to these control systems," Panetta said in a speech to the Business Executives for National Security in New York City. "We also know that they are seeking to create advanced tools to attack these systems and cause panic and destruction and even the loss of life."

In his remarks, Panetta confirmed several recent cyber attacks against Saudi and Qatari energy companies that used the sophisticated Shamoon virus, calling the attacks "the most destructive that the private sector has seen to date." As Panetta noted, the Shamoon attacks "virtually destroyed" 30,000 computers owned by the Saudi oil company Aramco. "Imagine the impact an attack like that would have on your company or your business," he added.

Warning of more destructive attacks that could cause loss of life if successful, Panetta urged Congress to pass comprehensive legislation in the vein of the Cybersecurity Act of 2012, a bill co-sponsored by Sens. Joe Lieberman, I-Conn., Susan Collins, R-Maine, Jay Rockefeller, D-W.Va., and Dianne Feinstein, D-Calif., that failed to pass in its first attempt earlier this year by losing a cloture vote in the Senate.

[ Among many competing priorities in a tight budget, Cybersecurity Tops Federal IT Priorities List. ]

"Congress must act and it must act now," he said. "This bill is victim to legislative and political gridlock like so much else in Washington. That frankly is unacceptable and it should be unacceptable not just to me, but to you and to anyone concerned with safeguarding our national security."

Specifically, Panetta called for legislation that would make it easier for companies to share "specific threat information without the prospect of lawsuits" but while still respecting civil liberties. He also said that there must be "baseline standards" co-developed by the public and private sector to ensure the cybersecurity of critical infrastructure IT systems. The Cybersecurity Act of 2012 contained provisions that would arguably fit the bill on both of those accounts.

While Panetta said that "there is no substitute" for legislation, he noted that the Obama administration has been working on an executive order on cybersecurity as an end-around on Congress. "We need to move as far as we can" even in the face of Congressional inaction, he said. "We have no choice because the threat that we face is already here."

He added that the DOD has three priorities for improving its own ability to combat cyber attacks: investing more than $3 billion annually in cybersecurity to develop new capabilities, including recruiting and training new cyber warfare soldiers and developing new systems and techniques; pushing forward with new policy, including new cyber rules of engagement that are close to being finalized; and working ever closer with the private sector and other parts of government.

Although Panetta may have urged further action, he was also quick to point out that some gains have been made. For example, he said that the military had developed "the world's most sophisticated system to detect cyber intruders and attackers" and that other agencies had also stepped up to the plate.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Verdumont Monte
50%
50%
Verdumont Monte,
User Rank: Apprentice
10/12/2012 | 5:40:32 PM
re: DOD: Hackers Breached U.S. Critical Infrastructure Control Systems
I thought all these "Critical" infrastructure components are not connected to internet.. What happened??
PJS880
50%
50%
PJS880,
User Rank: Ninja
10/16/2012 | 7:12:20 AM
re: DOD: Hackers Breached U.S. Critical Infrastructure Control Systems
I though that these particular infrastructure were, or definitely should be, impenetrable by security breeches. These plants are our electric, water and various other necessities that we as Americans use on a daily basis. You can bet your bottom dollar that these services go down for any reason it would cause mass panic and no doubt there would be people hurt within the panic that takes place. These precautionary measures and disaster recovery plans need to put into play way before one of these actual attacks occurred. If hackers can gain access to and actual gain control of these systems for the sole purpose of causing disaster, then what is next?

Paul Sprague
InformationWeek Contributor
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
10/22/2012 | 7:51:33 PM
re: DOD: Hackers Breached U.S. Critical Infrastructure Control Systems
I have never read anything which referred to SCADA equipment as being anything other than interconnected permitting control from a distance (in other words they must transfer data between themselves using known methods). The concept of the SmartGrid itself is founded on interconnectivity and independence being able to regulate services on environmental conditions. Think of your water and electrical meters that now transmit consumption to the central office without the "meter readers" making their rounds but also smart houses where your appliances can be controlled through the internet and as usual the focus is on convenience and cost reduction not security in development. Anonymous and similar groups may now focus on nuisance DDoS activity, but as there is a market for avoiding telephone usage fees (Magic Jack) there will be a market for solutions to reduce or eliminate energy and utilities consumption.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-3828
Published: 2014-10-22
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.