Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

3/20/2018
02:30 PM
Amit Yoran
Amit Yoran
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Critical Infrastructure: Stop Whistling Past the Cyber Graveyard

An open letter to former colleagues in Homeland Security, peers in private sector cybersecurity firms, those who own and operate critical systems, academics, and politicians.

I woke up to a cyberattack double-whammy that frankly made me want to go straight back to bed.

First, the Department of Homeland Security and the FBI issued an alert about the Russian government's targeting of US critical infrastructure — nuclear power plants, chemical plants, heavy manufacturing facilities, and so on. The joint alert was an extraordinary and unprecedented move by two agencies that traditionally have avoided pointing the finger at nation-state actors. From my time as the founding director of the United States Computer Emergency Readiness Team (US-CERT), I can say this is highly unusual.

As if that were not enough, the New York Times published a lengthy analysis of a cyberattack on a Saudi petrochemical plant that took place in the summer of 2017. Though investigators have yet to publish their findings as to who was behind the attack and what the attackers hoped to achieve, cyber experts speaking on the condition of anonymity told the Times that they believe the attack was intended to cause an explosion and kill or injure hundreds of people.

These scenarios may read like a summary of the latest must-see episode from Homeland or the latest superhero flick, but they're not fiction — far from it. They reflect the stark and sobering reality of living in our digital-everything world. The fact that they are surprising to anybody is the most shocking (and some might say terrifying) thing of all. According to a study of the oil and gas industry by the Ponemon Institute, 68% of respondents report at least one security compromise. As recently as last year, the Department of Energy reported that the American electrical grid was in "imminent danger" from cyberattacks that are "growing more frequent and sophisticated."

The signs are all around us and they're multiplying and growing more strident. At best, the string of cyberattacks on petrochemical plants in Saudi Arabia is an alarming reminder of the threats facing critical infrastructure everywhere. At worst, they're a stark warning, if not a promise, of what's to come.

Let me put this another way: all of the hand-wringing and face-palming in Congress and in the media over the Equifax breach, which jeopardized the personal information of roughly 148 million Americans, will look like a walk in the park compared to what happens should a US energy facility be successfully attacked. And with reason. It's the difference between damages that can be more easily dismissed as a nuisance — a compromised driver's license number, for example — versus those with the potential to wreak widespread havoc in our communities. We're talking about the kind of cyberattack that jumps the digital divide and does physical damage with the intent to injure or kill people.

Securing decades-old power plants and manufacturing facilities that were deemed safe from cyberattack precisely because they were never designed to be connected to digital devices is incredibly complex, and I acknowledge that. But the fact is that these plants were designed for the old-school way of doing things, not for a digital world brimming with smart, connected heaters, window shades, cars, and phones.

We must view these attacks as an urgent call to change the way we handle the threats targeting the world's most valuable and vulnerable systems. Otherwise, the next story won't be about what could have happened. It'll be about the real-world consequences of what did happen. We'll be looking in the rearview mirror asking ourselves why we, collectively, were asleep at the proverbial wheel.

Securing the critical infrastructure that powers our modern lives has to be made a global priority. This is a sacred trust shared by both private and public sectors. This is an all-hands effort for cybersecurity — my former colleagues in Homeland Security, my peers in private sector cybersecurity firms, those who own and operate critical systems, academics, and politicians — to come together to address this issue now. We can't solve the security challenges facing these delicate, mission-critical systems by working in isolation. Industry experts and government agencies around the world need to work together to develop modern standards, processes, and regulations to address today's modern threat landscape. Let's start by protecting the systems that matter most.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Amit Yoran is chairman and CEO of Tenable, overseeing the company's strategic vision and direction. As the threat landscape expands, Amit is leading Tenable into a new era of security solutions, empowering organizations to meet the challenges of evolving threats with ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Bob Huber Tenable
50%
50%
Bob Huber Tenable,
User Rank: Author
7/30/2019 | 1:23:05 PM
Progress, 13 years later
As someone that started working to secure ICS/OT for a national lab back in 2006, there has been tremendous progress in the space, albeit, at a slow pace. Up until recently, companies that developed products to secure ICS/OT didn't have a market. There were no buyers; no one responsible for ICS/OT security; hence the reason that the government and national labs weighed in to the fray. We've now become self aware, the market has matierialized and we're finally holding conversations that I only dreamed of 13 years ago. The attack surface for ICS/OT has expanded rapidly during that timeframe and our technologies just aren't quite there to protect them, yet. What to do in light of that? One, know what you have - identify your key ICS/OT cyber terrain. Two, operate as if you're ICS/OT is compromised already. Three, prioritze your risk and be sure to include safety/all hazards into your analysis, not just cyber. As Amit correctly noted, "It'll be about the real-world consequences".
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "This is the last time we hire Game of Thrones Security"
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4428
PUBLISHED: 2019-12-09
IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session....
CVE-2019-4611
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
CVE-2019-4612
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.
CVE-2019-4621
PUBLISHED: 2019-12-09
IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.
CVE-2019-19230
PUBLISHED: 2019-12-09
An unsafe deserialization vulnerability exists in CA Release Automation (Nolio) 6.6 with the DataManagement component that can allow a remote attacker to execute arbitrary code.