Through the first half of this year, the number of U.S. data breaches reached a record 791, which is 29 percent higher than a year ago. And a survey of leading security experts at the Black Hat conference in Las Vegas, Nevada, last month found that 60 percent believed there will be a successful attack on the nation’s critical infrastructure within two years. Meanwhile, in meeting rooms throughout the week during the conference, attendees saw hypothetical hacking demonstrations of cars, banks, Internet of Things devices, air traffic control systems, power grids and industrial control networks.
While it’s tempting to focus on recent headline-grabbing ransomware attacks, such as WannaCry and Petya, top security executives are becoming more concerned than ever about the vulnerability of the world’s critical infrastructure, which has been classified by the U.S. government as 16 specific areas, from dams, energy and emergency services to healthcare and water. Still some experts believe that this vulnerability is not getting the attention it deserves, even among C-suite executives in the boardrooms of major companies.
“What I’ve found is that they [executives] recognize indeed that they are in the midst of another computing revolution. What they don’t quite recognize, though, is that we’re in the midst of a security revolution as well,” said Phil Quade (pictured), chief information security officer at Fortinet Inc.
Quade, who was hired earlier this year as Fortinet’s first CISO following an extensive career with the National Security Agency, spoke with Peter Burris (@plburris), host of theCUBE, SiliconANGLE Media’s mobile live streaming studio, at SiliconANGLE’s Palo Alto, California, studio. (*Disclosure below.)
They discussed the strategic nature of attacks against critical infrastructure, the danger of missing the subtle progress that hackers are making and the actions necessary to bring focus on finding effective protection solutions.
Warnings for nuclear plant operators
Attacks on critical infrastructure are increasing, as hackers become bolder and more advanced in methods to penetrate security defenses. Early in July, the FBI and the Department of Homeland Security issued new warnings to companies that operate nuclear plants in the U.S., which indicated that attacks have escalated since May. The government agencies said that Russian hackers may be behind the most recent attempts.
Critical infrastructure attacks are not limited solely to the United States. Government sources in Europe have acknowledged that Russian hackers have been attempting to penetrate companies that managed nuclear facilities in the United Kingdom as well.
These kinds of attacks are more worrisome, according to Quade, who is concerned about the strategic nature of attempts to hack critical infrastructure.
“I’m really worried about the threats that come at us from a strategic perspective,” he stated. “There are some countries that hope to hold our strategic assets at risk, and they would like to be able to impose their national will on the U.S. or other democracies.”
Sophisticated power grid attacks
There is another dimension to infrastructure attacks, what Quade refers to as a more “low-and-slow” approach, a gradual degradation of key resource protection for areas such as water or electricity. Hints at where this could lead can be seen in two documented attacks on the Ukraine power grid in 2015 and 2016. After a manual attack on Ukraine’s power grid 19 months ago briefly cut power for nearly a quarter-million of the country’s citizens in winter, another attack approximately one year later targeted transmission stations and circuit breakers using a fully automated model. In less than a year’s time, the hackers had developed a more sophisticated approach.