Which Critical Infrastructure Attack Will Be Our Bangladesh Factory Collapse?

Critical infrastructure security is finally getting the attention it deserves; let’s hope that it is enough to prevent a major disaster.

Scott Montgomery, VP and CTO-Americas & Public Sector, Intel Security

April 18, 2016

3 Min Read

Factory fires, mine explosions, collapsed buildings, and other workplace accidents that kill and injure workers have led to occupational health and safety laws in most countries. When workers are not killed or injured, but could have been, these events are referred to as “serious potential incidents.”

In workplaces around the world, we are seeing serious potential incidents from cyberattacks instead of unsafe conditions, machinery, or chemicals. This trend is worrisome for a couple of reasons:

  1. Some of these attacks are conducted with an intent to harm.

  2. The potential for injuries or fatalities is substantial.

Most industrial and critical infrastructure organizations will admit to being probed or attacked on a frequent basis, without success. However, there have been several serious potential incidents in the past couple of years where cyberattacks came close to causing significant harm, including a dam in suburban New York, steel foundry in Germany, and electrical substations in Ukraine.

Flood-Control Dam, New York

Recent indictments against some Iranian hackers by the U.S. Department of Justice have brought renewed publicity to the hacking of a small flood-control dam in suburban New York. In this case, the hackers appear to have stumbled across an unprotected computer at the dam using a search technique known as Google dorking. Using specific search terms on the standard, publicly available Google search-engine, hackers can discover computers, login portals, and other access points that are unintentionally connected to the public Internet. This does not appear to have been a preplanned or coordinated attack, and the hackers could not open or close the primary sluice gate because it was still in manual mode. However, with a 20-foot high-water mark and a neighboring middle school, the potential for death or serious injury from even this small dam is significant.

Steel Foundry, Germany

A preplanned cyberattack that caused a significant amount of damage happened a few years ago against a steel foundry in Germany. In this case, the attackers used spear phishing emails to steal credentials and gain access to the foundry’s business systems. Once inside, the hackers took time to explore the network and found a way to get from the business network to the industrial operations. Demonstrating a sophisticated knowledge of industrial controls and processes, the hackers explored the systems and, whether intentionally or accidentally, caused a series of malfunctions that resulted in more than $1 million in damage to a blast furnace. If the intent was not damage or sabotage to the foundry, what damage could they have caused, perhaps by affecting the quality of steel intended for a bridge or office building?

Electrical Grid, Ukraine

Finally, a sophisticated and methodical attack in December 2015 shut down more than 50 electrical substations in Ukraine, affecting more than 200,000 people who were without power for up to six hours. This attack also started with spear-phishing emails that stole credentials and installed malware, months or even years before the outage. Using their access, the hackers explored the systems, quietly getting closer to the control systems. In addition to turning off the power, this group also made it difficult to restore power, modifying firmware, corrupting master boot records, and even running a denial-of-service attack against the call center. In this case, the business and operations systems were segregated, but allowed VPN access to the SCADA network. The power was out for only six hours, but months later the substations are still working to recover full functionality of the corrupted systems, and most of the substations are still on manual control.

What Will It Take For Us To Secure Our Infrastructure?

Which security incident in the future will become as infamous as the Bangladesh factory collapse that killed more than 300 workers, the Triangle Shirtwaist factory fire where 146 perished, or the non-fatal but embarrassing collapse of the Tacoma Narrows Bridge? Critical infrastructure security is finally getting the attention it deserves; let’s hope that it is enough to prevent a major disaster.

About the Author(s)

Scott Montgomery

VP and CTO-Americas & Public Sector, Intel Security

Scott Montgomery is vice president and chief technology officer for the Americas and public sector at Intel Security. He runs worldwide government certification efforts and works with industry and government thought leaders and worldwide public sector customers to ensure that technology, standards, and implementations meet information security and privacy challenges. His dialog with the market helps him drive government and cybersecurity requirements into McAfee's products and services portfolio and guide Intel Security's policy strategy for the public sector, critical infrastructure, and threat intelligence.

With more than 15 years in content and network security, Montgomery brings a practitioner's perspective to the art and science of cybersecurity. He has designed, built, tested, and certified information security and privacy solutions-including firewalls, intrusion prevention systems, encryption, vulnerability scanners, network visibility tools, mail and web gateways, strong authentication tokens, embedded systems, and more. Prior to its acquisition by McAfee, Montgomery ran worldwide product management and corporate strategy for Secure Computing, designing and building products like Sidewinder (now McAfee Firewall Enterprise), Webwasher (now McAfee Web Gateway), and Ironmail (now McAfee Email Gateway).

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights