The cybersecurity community has warned for years that the nation's critical infrastructure (the transportation, banking, electric, and oil and gas sectors, for example) is vulnerable to hackers or nation states looking to crash the computer networks that support that infrastructure. A serious attack has yet to materialize.
But it's just a matter of time, warns Aaron Turner, a cybersecurity specialist with the Energy Department's Idaho National Laboratory. In a column posted Friday on csoonline.com, Turner argues that "the pervasive use of technology, drive to ubiquitous connectivity and reduction in human oversight in control system have introduced critical vulnerabilities in our infrastructure."
The Idaho lab where Turner works has conducted 12 control system reviews (funded by the Energy and Homeland Security departments) and "found that all of the evaluated systems suffer from high-impact security vulnerabilities that could be exploited by a low-skill-level attacker, using techniques that do not require physical access to systems." Turner writes that owners of the critical infrastructure cannot secure the systems without introducing errors that would affect the networks' stability and performance.
Turner cites a recent paper published by IBM that reports hackers are just now organizing into a mature industry and will eventually seek to extort money from the owners and operators of the nation's critical infrastructure. Based on how other industries were infiltrated, the attacks will start small and focus on economic gains, followed by the dissemination of tools to discover the vulnerability in the networks, and followed by "large-scale incidents designed to reduce confidence in the infrastructure systems," Turner writes.
To better defend the networks, Turner stresses that the United States must educate all sectors of the economy to the risks and then working with the private sector provide the minimum technology standards that will guard against the attacks.