Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

As Congress Debates Critical Infrastructure Security, Danger Grows

Security experts warn that new tools make it easier than ever to attack critical infrastructure control systems, as Congress debates legislative action.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
How long might it take to properly secure the systems that comprise the critical infrastructure? Try 25 years, give or take half a decade.

As debate in the Senate intensifies over whether businesses should be required to secure critical infrastructure systems, security experts at the RSA conference in San Francisco last week warned that whatever decisions get made now, the related security issues could persist for decades.

"The replacement cycle in critical infrastructure is 20 to 30 years. So, right now, most of the U.S. critical infrastructure is running on software developed 25 years ago," said Roel Schouwenberg, senior researcher at Kaspersky Lab, speaking at RSA.

With that timeline in mind, should the government require private businesses in critical infrastructure sectors to begin implementing better information security practices, including improved control system security? That's one question being debated now in Congress.

Two Senate bills have proposed different approaches to the problem. The Cybersecurity Act of 2012, introduced last month by Sen. Joe Lieberman (I-Conn.), together with Sen. Susan Collins (R-Maine) and Sen. Jay Rockefeller (D-W.Va.), would give the Department of Homeland Security the ability to regulate the information security practices of businesses involved in the critical sector. It would also require them to share participate in threat intelligence information sharing with the government.

[ Can the government help businesses with security in other ways? Read Should NSA Be Scanning Business Networks? ]

Some Republican senators, however, have criticized the Lieberman-Collins bill, saying it would add to businesses' regulatory burden, and possibly duplicate existing Department of Defense security initiatives. As a more hands-off alternative, eight high-ranking Republican senators Thursday introduced a bill they've dubbed Secure IT.

"The centerpiece of this legislation is a framework for voluntary information sharing," said John McCain (R-Ariz.), the ranking member of the Armed Services Committee, at a news conference to announce the bill. Known in longhand as the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information and Technology Act, the bill's backers also include GOP Senators Kay Bailey Hutchison (R-Texas), Chuck Grassley (R-Iowa), Saxby Chambliss (R-Ga.), Lisa Murkowski (R-Alaska), and Dan Coats (R-Ind.).

Similarly, a group of House Republicans has introduced a bill that focuses on information sharing. "Regulation is not favored by our caucus in the House, we would prefer that the private sector do what they can to protect their own investments," said Kevin Gronberg, senior counsel to the Committee on Homeland Security in the U.S. House of Representatives, speaking at RSA. "But that being said, we need to make sure that the private sector has the appropriate information it needs to protect their investment, to protect their networks, which they know better than anyone else."

Sen. Hutchison, who's the ranking member of the Senate committee on commerce, science, and transportation, has said the GOP senators hope to synchronize their proposed bill with the Lieberman-Collins bill.

Some security experts, however, have questioned whether information sharing alone will resolve current critical infrastructure security shortcomings. "After Stuxnet, I got quite involved with the U.S. critical infrastructure, and what's very clear to me is that unless things are mandated by D.C., nothing is changing," said Kaspersky Lab's Schouwenberg. "These companies are being run for the bottom line, and there's simply no budget for anything that's not being mandated by D.C."

In the meantime, growing interest in control system vulnerabilities by the security research community has been lowering the bar for any would-be control system attacker. Last month, for example, a number of recent vulnerabilities were added to Metasploit, a free toolkit that can be used to penetration test--or simply attack--systems that contain known vulnerabilities. "That's allowing people who are not necessarily very knowledgeable about these systems to go out and affect them," said control system security expert Joe Weiss, who heads Applied Control Solutions, via phone. "Because some of the vendors haven't fixed any of this yet."

While vendors may not be rapidly fixing vulnerabilities in their industrial control system software, even when such patches do get released, many businesses also don't rush to install them.

Furthermore, would-be attackers can easily locate Internet-connected control systems--many of which were never designed to be connected to the Internet, and which lack appropriate safeguards--using a search tool such as Shodan. "Many of the people that operate these devices probably don't even realize that they're Internet-facing, so that's a concern," said Jenny Menna, director of critical infrastructure cyber protection and awareness for the National Cyber Security Division of the Department of Homeland Security.

Secure Sockets Layer isn't perfect, but there are ways to optimize it. The new Web Encryption That Works supplement from Dark Reading shows four places to start. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13817
PUBLISHED: 2020-06-04
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attac...
CVE-2020-13818
PUBLISHED: 2020-06-04
In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.
CVE-2020-6640
PUBLISHED: 2020-06-04
An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area.
CVE-2020-9292
PUBLISHED: 2020-06-04
An unquoted service path vulnerability in the FortiSIEM Windows Agent component may allow an attacker to gain elevated privileges via the AoWinAgt executable service path.
CVE-2019-16150
PUBLISHED: 2020-06-04
Use of a hard-coded cryptographic key to encrypt security sensitive data in local storage and configuration in FortiClient for Windows prior to 6.4.0 may allow an attacker with access to the local storage or the configuration backup file to decrypt the sensitive data via knowledge of the hard-coded ...