- The 20 Best iPhone/iPad Games of 2013 So Far
- 9 Steps to Build Your Personal Brand (and Your Career)
- 7 Consumer Technologies Coming to an Enterprise Near You
- 11 Signs Your IT Project is Doomed
CSO - The warnings of possible catastrophic cyberattacks on critical infrastructure in the U.S. have been issued for more than a decade. They were frequent and insistent in 2012, from high-ranking government officials and others.
Outgoing U.S. Secretary of Defense Leon Panetta warned in a speech in New York last October that cyberattacks by a hostile nation-state on critical infrastructure like transportation, water supply or the electric grid could amount to a "cyber Pearl Harbor." He also said the U.S. was at "a pre-9/11 moment."
It wasn't just patriotic American officials either. A video obtained by the FBI in 2011, purportedly from al Qaeda, exhorted al Qaeda followers - the "covert Mujahidin" - who have the skill to commit "electronic jihad" -- to launch cyberattacks on U.S. and other Western targets.
But the Department of Homeland Security (DHS) says that despite those warnings, the peril remains -- thousands of domestic industrial control systems (ICS) remain vulnerable.
Some security experts have said that Panetta and others are going overboard with comparisons to acts of war or terror that leave thousands dead. Bruce Schneier, an author and chief security technology officer at BT, has said more than once that, "throughout history, the definition of a 'major war' has involved casualties in the hundreds of thousands. That means dead people."
However, Schneier and others agree that there are real risks. And the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which operates within DHS, said operators of ICS many times don't even know if their systems are infected, don't have effective security barriers in place and don't have backups for critical systems.
The agency's Monthly Monitor, covering October-December 2012, also reported that two researchers, "using only their wits, an extensive list of control systems related search terms, a paper clip, and the Internet-facing device search engine SHODAN," compiled a list of about 500,000 devices with predicted control systems impact.
Bob Radvanovsky and Jake Brodsky of InfraCritical began what they called Project SHINE (SHodan INtelligence Extraction) last April, and presented their findings in October at the ICS Cyber Security Conference in Norfolk, Virginia.
ICS-CERT said it was able to prune that list down to about 98,000 IP addresses in the U.S., and cut it further to about 7,200 across the nation that it said were directly connected to critical control devices.
But the significance of the project was clear: Using freely available tools, the researchers exposed a significant attack surface -- an average of 144 entry points per state -- reachable from the public Internet.
The report also profiled a couple of unnamed utility operators that were not following even the most basic security protocols. In one case, an employee at a power generation facility had infected several workstations, two of the critical to the operation, with malware from a USB drive.