Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

3/20/2018
02:30 PM
Amit Yoran
Amit Yoran
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
100%
0%

Critical Infrastructure: Stop Whistling Past the Cyber Graveyard

An open letter to former colleagues in Homeland Security, peers in private sector cybersecurity firms, those who own and operate critical systems, academics, and politicians.

I woke up to a cyberattack double-whammy that frankly made me want to go straight back to bed.

First, the Department of Homeland Security and the FBI issued an alert about the Russian government's targeting of US critical infrastructure — nuclear power plants, chemical plants, heavy manufacturing facilities, and so on. The joint alert was an extraordinary and unprecedented move by two agencies that traditionally have avoided pointing the finger at nation-state actors. From my time as the founding director of the United States Computer Emergency Readiness Team (US-CERT), I can say this is highly unusual.

As if that were not enough, the New York Times published a lengthy analysis of a cyberattack on a Saudi petrochemical plant that took place in the summer of 2017. Though investigators have yet to publish their findings as to who was behind the attack and what the attackers hoped to achieve, cyber experts speaking on the condition of anonymity told the Times that they believe the attack was intended to cause an explosion and kill or injure hundreds of people.

These scenarios may read like a summary of the latest must-see episode from Homeland or the latest superhero flick, but they're not fiction — far from it. They reflect the stark and sobering reality of living in our digital-everything world. The fact that they are surprising to anybody is the most shocking (and some might say terrifying) thing of all. According to a study of the oil and gas industry by the Ponemon Institute, 68% of respondents report at least one security compromise. As recently as last year, the Department of Energy reported that the American electrical grid was in "imminent danger" from cyberattacks that are "growing more frequent and sophisticated."

The signs are all around us and they're multiplying and growing more strident. At best, the string of cyberattacks on petrochemical plants in Saudi Arabia is an alarming reminder of the threats facing critical infrastructure everywhere. At worst, they're a stark warning, if not a promise, of what's to come.

Let me put this another way: all of the hand-wringing and face-palming in Congress and in the media over the Equifax breach, which jeopardized the personal information of roughly 148 million Americans, will look like a walk in the park compared to what happens should a US energy facility be successfully attacked. And with reason. It's the difference between damages that can be more easily dismissed as a nuisance — a compromised driver's license number, for example — versus those with the potential to wreak widespread havoc in our communities. We're talking about the kind of cyberattack that jumps the digital divide and does physical damage with the intent to injure or kill people.

Securing decades-old power plants and manufacturing facilities that were deemed safe from cyberattack precisely because they were never designed to be connected to digital devices is incredibly complex, and I acknowledge that. But the fact is that these plants were designed for the old-school way of doing things, not for a digital world brimming with smart, connected heaters, window shades, cars, and phones.

We must view these attacks as an urgent call to change the way we handle the threats targeting the world's most valuable and vulnerable systems. Otherwise, the next story won't be about what could have happened. It'll be about the real-world consequences of what did happen. We'll be looking in the rearview mirror asking ourselves why we, collectively, were asleep at the proverbial wheel.

Securing the critical infrastructure that powers our modern lives has to be made a global priority. This is a sacred trust shared by both private and public sectors. This is an all-hands effort for cybersecurity — my former colleagues in Homeland Security, my peers in private sector cybersecurity firms, those who own and operate critical systems, academics, and politicians — to come together to address this issue now. We can't solve the security challenges facing these delicate, mission-critical systems by working in isolation. Industry experts and government agencies around the world need to work together to develop modern standards, processes, and regulations to address today's modern threat landscape. Let's start by protecting the systems that matter most.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Amit Yoran is chairman and CEO of Tenable, overseeing the company's strategic vision and direction. As the threat landscape expands, Amit is leading Tenable into a new era of security solutions, empowering organizations to meet the challenges of evolving threats with ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bob Huber Tenable
50%
50%
Bob Huber Tenable,
User Rank: Author
7/30/2019 | 1:23:05 PM
Progress, 13 years later
As someone that started working to secure ICS/OT for a national lab back in 2006, there has been tremendous progress in the space, albeit, at a slow pace. Up until recently, companies that developed products to secure ICS/OT didn't have a market. There were no buyers; no one responsible for ICS/OT security; hence the reason that the government and national labs weighed in to the fray. We've now become self aware, the market has matierialized and we're finally holding conversations that I only dreamed of 13 years ago. The attack surface for ICS/OT has expanded rapidly during that timeframe and our technologies just aren't quite there to protect them, yet. What to do in light of that? One, know what you have - identify your key ICS/OT cyber terrain. Two, operate as if you're ICS/OT is compromised already. Three, prioritze your risk and be sure to include safety/all hazards into your analysis, not just cyber. As Amit correctly noted, "It'll be about the real-world consequences".
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-0404
PUBLISHED: 2019-12-11
SAP Enable Now, before version 1911, leaks information about network configuration in the server error messages, leading to Information Disclosure.
CVE-2019-0405
PUBLISHED: 2019-12-11
SAP Enable Now, before version 1911, leaks information about the existence of a particular user which can be used to construct a list of users, leading to a user enumeration vulnerability and Information Disclosure.
CVE-2019-0395
PUBLISHED: 2019-12-11
SAP BusinessObjects Business Intelligence Platform (Fiori BI Launchpad), before version 4.2, allows execution of JavaScript in a text module in Fiori BI Launchpad, leading to Stored Cross Site Scripting vulnerability.
CVE-2019-0398
PUBLISHED: 2019-12-11
Due to insufficient CSRF protection, SAP BusinessObjects Business Intelligence Platform (Monitoring Application), before versions 4.1, 4.2 and 4.3, may lead to an authenticated user to send unintended request to the web server, leading to Cross Site Request Forgery.
CVE-2019-0399
PUBLISHED: 2019-12-11
SAP Portfolio and Project Management, before versions S4CORE 102, 103, EPPM 100 and CPRXRPM 500_702, 600_740, 610_740; unintentionally allows a user to discover accounting information of the Projects in Project dashboard, leading to Information Disclosure.