How Vulnerable is Critical Infrastructure to Cyber Attacks?

How Vulnerable is Critical Infrastructure to Cyber Attacks?

Public, financial and utility sectors of the U.S. economy are crucial components of society. Recent cyber breaches of federal agencies and high profile financial companies signal a new wave in cyber warfare and speaks to the need for all organizations to rethink their approaches to security.

The Grid

One of our biggest vulnerabilities is our utility infrastructure. Insurer Lloyds of London and the University of Cambridge recently issued a report Business Blackout suggesting that a cyber attack on the energy grid could cost the U.S. economy as much as $1 trillion. 

Utility companies rely on decades-old SCADA (supervisory control and data acquisition) systems to control our power, water, and gas systemsーnone of which was built with security in mind. These systems are often proprietary, not connected to the Internet and typically control physical access. But as we saw with the StuxNet virus, this isn't enough to stop sophisticated attackers. Unfortunately, cyber adversaries are becoming more sophisticated, and attacks are coming from foreign governments and related actors as well as emergent groups like Anonymous.

Public Sector

Government entities are just as vulnerable as utilities despite having put many safeguards in place. The recent Office of Personnel Management attack is a prime example of adversaries going after indirect and less-protected information such as employee record to find highly sensitive data like information about intelligence agencies and their operations. 

Another recent example is the attack against the Department of the Army's Content Delivery Network (CDN). In this case, the attacker never actually compromised an Army server. They were able to compromise the CDN and alter content going out to the public. The attack was graffiti-style vandalism with a political message, but if this type of attack had a different intent, the effects could have been devastating.

The Council on Foreign Relations maintains a Global Conflict Tracker interactive guide to U.S. conflict priorities. It is based on an ongoing survey of government officials, foreign policy experts and academics to assess ongoing and potential conflicts and their potential impact on U.S. interests.

Finance

The financial sector is well protected but is the highest priority target because of the value associated with its data. Every type of hacker covets financial information: criminals and organized crime want it for profit, along with state-sponsored cyberwarfare groups. Some groups "follow the money" to derive other sensitive information.  

The Gauss malware is an example of a complex nation-state sponsored cyber-espionage effort. Named for the eminent mathematician Carl Friedrich Gauss, the malware was developed specifically go after financial information. Once released, it spread quickly but lay dormant on infected machines, waiting for a time, event, or instruction to become active. What's worse, the encrypted payload of the Gauss malware has yet to be cracked after years of research.

The impact of these types of sophisticated attacks could be devastating. For this reason, the MIT Sloan School of Management has put together an Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity to investigate ways to bring greater security to cyber and physical assets. Other public and industry groups are also addressing this area of growing concern.

Research from market research firm Gartner indicates that over half of the cyber security professionals recently surveyed said these types of targeted attacks are their biggest concern but only 26% indicated it was a top spending priority.

To learn how your enterprise can tighten up its defenses, see Masergy’s 360° Living Security Audit.

About David Venable

VP, Cybersecurity, Masergy
David Venable, Vice President of Cyber Security at Masergy Communications, has over 15 years experience in information security, with expertise in cryptography, network and application security, vulnerability assessments, penetration testing, and compliance. David is a former intelligence collector with the National Security Agency, with extensive experience in Computer Network Exploitation, Information Operations, and Digital Network Intelligence. He also served as adjunct faculty at the National Cryptologic School.