Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

3/20/2018
02:30 PM
Amit Yoran
Amit Yoran
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Critical Infrastructure: Stop Whistling Past the Cyber Graveyard

An open letter to former colleagues in Homeland Security, peers in private sector cybersecurity firms, those who own and operate critical systems, academics, and politicians.

I woke up to a cyberattack double-whammy that frankly made me want to go straight back to bed.

First, the Department of Homeland Security and the FBI issued an alert about the Russian government's targeting of US critical infrastructure — nuclear power plants, chemical plants, heavy manufacturing facilities, and so on. The joint alert was an extraordinary and unprecedented move by two agencies that traditionally have avoided pointing the finger at nation-state actors. From my time as the founding director of the United States Computer Emergency Readiness Team (US-CERT), I can say this is highly unusual.

As if that were not enough, the New York Times published a lengthy analysis of a cyberattack on a Saudi petrochemical plant that took place in the summer of 2017. Though investigators have yet to publish their findings as to who was behind the attack and what the attackers hoped to achieve, cyber experts speaking on the condition of anonymity told the Times that they believe the attack was intended to cause an explosion and kill or injure hundreds of people.

These scenarios may read like a summary of the latest must-see episode from Homeland or the latest superhero flick, but they're not fiction — far from it. They reflect the stark and sobering reality of living in our digital-everything world. The fact that they are surprising to anybody is the most shocking (and some might say terrifying) thing of all. According to a study of the oil and gas industry by the Ponemon Institute, 68% of respondents report at least one security compromise. As recently as last year, the Department of Energy reported that the American electrical grid was in "imminent danger" from cyberattacks that are "growing more frequent and sophisticated."

The signs are all around us and they're multiplying and growing more strident. At best, the string of cyberattacks on petrochemical plants in Saudi Arabia is an alarming reminder of the threats facing critical infrastructure everywhere. At worst, they're a stark warning, if not a promise, of what's to come.

Let me put this another way: all of the hand-wringing and face-palming in Congress and in the media over the Equifax breach, which jeopardized the personal information of roughly 148 million Americans, will look like a walk in the park compared to what happens should a US energy facility be successfully attacked. And with reason. It's the difference between damages that can be more easily dismissed as a nuisance — a compromised driver's license number, for example — versus those with the potential to wreak widespread havoc in our communities. We're talking about the kind of cyberattack that jumps the digital divide and does physical damage with the intent to injure or kill people.

Securing decades-old power plants and manufacturing facilities that were deemed safe from cyberattack precisely because they were never designed to be connected to digital devices is incredibly complex, and I acknowledge that. But the fact is that these plants were designed for the old-school way of doing things, not for a digital world brimming with smart, connected heaters, window shades, cars, and phones.

We must view these attacks as an urgent call to change the way we handle the threats targeting the world's most valuable and vulnerable systems. Otherwise, the next story won't be about what could have happened. It'll be about the real-world consequences of what did happen. We'll be looking in the rearview mirror asking ourselves why we, collectively, were asleep at the proverbial wheel.

Securing the critical infrastructure that powers our modern lives has to be made a global priority. This is a sacred trust shared by both private and public sectors. This is an all-hands effort for cybersecurity — my former colleagues in Homeland Security, my peers in private sector cybersecurity firms, those who own and operate critical systems, academics, and politicians — to come together to address this issue now. We can't solve the security challenges facing these delicate, mission-critical systems by working in isolation. Industry experts and government agencies around the world need to work together to develop modern standards, processes, and regulations to address today's modern threat landscape. Let's start by protecting the systems that matter most.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Amit Yoran is chairman and CEO of Tenable, overseeing the company's strategic vision and direction. As the threat landscape expands, Amit is leading Tenable into a new era of security solutions, empowering organizations to meet the challenges of evolving threats with ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bob Huber Tenable
50%
50%
Bob Huber Tenable,
User Rank: Author
7/30/2019 | 1:23:05 PM
Progress, 13 years later
As someone that started working to secure ICS/OT for a national lab back in 2006, there has been tremendous progress in the space, albeit, at a slow pace. Up until recently, companies that developed products to secure ICS/OT didn't have a market. There were no buyers; no one responsible for ICS/OT security; hence the reason that the government and national labs weighed in to the fray. We've now become self aware, the market has matierialized and we're finally holding conversations that I only dreamed of 13 years ago. The attack surface for ICS/OT has expanded rapidly during that timeframe and our technologies just aren't quite there to protect them, yet. What to do in light of that? One, know what you have - identify your key ICS/OT cyber terrain. Two, operate as if you're ICS/OT is compromised already. Three, prioritze your risk and be sure to include safety/all hazards into your analysis, not just cyber. As Amit correctly noted, "It'll be about the real-world consequences".
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprise
Assessing Cybersecurity Risk in Today's Enterprise
Security leaders are struggling to understand their organizations risk exposure. While many are confident in their security strategies and processes, theyre also more concerned than ever about getting breached. Download this report today and get insights on how today's enterprises assess and perceive the risks they face in 2019!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-5271
PUBLISHED: 2019-11-12
Pacemaker before 1.1.6 configure script creates temporary files insecurely
CVE-2014-3599
PUBLISHED: 2019-11-12
HornetQ REST is vulnerable to XML External Entity due to insecure configuration of RestEasy
CVE-2014-7143
PUBLISHED: 2019-11-12
Python Twisted 14.0 trustRoot is not respected in HTTP client
CVE-2018-18819
PUBLISHED: 2019-11-12
A vulnerability in the web conference chat component of MiCollab, versions 7.3 PR6 (7.3.0.601) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP2 (8.0.2.202), and MiVoice Business Express versions 7.3 PR3 (7.3.1.302) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP1 (8.0.2.202), could allow creat...
CVE-2019-18658
PUBLISHED: 2019-11-12
In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as /etc/passwd, or to execute a denial of service (DoS) via a special file such as /dev/urandom, via symlin...