Based on today’s indictment from the U.S. Department of Justice, a group of hackers working for the government of Iran conducted a targeted cyberattack in 2013 on the SCADA systems of the Bowman Avenue Dam in Rye Brook, N.Y. The attackers gained access to the dam’s operational systems, including temperature information, water levels, and the sluice gate. Only the fact that the gate had been manually disconnected from the system for maintenance prevented them from operating the gate.
This event is a reminder of how important it is for us to protect critical infrastructure, whether at the national, state, local, or private-sector level. Despite the relatively small size of this facility, this is a good example of how critical infrastructure is vulnerable to various actors. We should not look at the size of the particular body of water, dam, or power distribution facility. Larger facilities have similar systems, and they are vulnerable to similar exploits.
Cyberattack and cyber-exploitation tools and expertise are readily available to those willing to pay for them. An entire underground cyber-exploitation ecosystem has evolve through which the latest malware can be rented, including hacker services, to execute attacks. This magnifies the capabilities of a less-technical entity to launch sophisticated attacks.
Providers of critical infrastructure are increasingly aware of the importance of a strong cyberdefense, and most of them have been investing in this area for the past several years. Critical infrastructure is composed of many interconnected elements, far more so than the typical large enterprise, that extend into the physical world. That means that cyberattacks can potentially damage physical infrastructure and even threaten lives.
While the level of confidence in security defenses has been increasing over the last few years in this industry, according to a recent report on critical infrastructure readiness, the majority are also being intellectually honest about the ongoing risks of a serious event actually happening. About half (48%) believe it is likely that within three years there will be a cyberattack on critical infrastructure that will result in loss of life. It's mostly just a matter of resources, motivation, persistence, and opportunity.
Security Industry: Think And Act Differently
The appropriate response to this 3-year-old security breach -- and every other breach we read about -- is not the latest security gadget or scapegoat. The fragmented nature of multiple security solutions and the resulting complexity is part of the problem. Instead, since cyberattacks have become an ongoing part of our digital lives, we believe that the security industry, including vendors, partners, and customers, needs to think and act differently. We need to build a more complete picture of the real threats and our own security posture by sharing and collaborating better. That means sharing information in real-time between different products and services; sharing threat intelligence among organizations and governments; and collaborating quickly when threats are identified to protect critical resources and contain the potential damage.
One of the most interesting aspects of almost every security study we have done over the past few years is the critical part that human interactions play in security weaknesses. What we’re seeing in many industries is a combination of technical vulnerabilities and human ones, often referred to as “social engineering.” Whether it is a phishing campaign to steal credentials or social media tricks to increase the credibility of a malicious attachment, this is often the starting point to infiltrate the environment and launch a more complex attack.
Defending against this combination of human and technical exploits requires the collaboration of human and technical security defenses. Cyberspace has grown essential to every dimension of our lives so we should assign as much priority to protecting our digital resources as we do to protecting our physical security. Escalating cybersecurity tensions, both the breaches themselves and the public concern they cause, risk fragmenting the infrastructure, hindering innovation, and limiting the future prospects for technology.