Irrational’ hackers are growing U.S. security fear
Article Courtesy of: Jim Finkle | Reuters
(Reuters) – Cybersecurity researcher HD Moore discovered he could use the Internet to access the controls of some 30 pipeline sensors around the country that were not password protected.
A hacking expert who helps companies uncover network vulnerabilities, Moore said he found the sensors last month while analyzing information in huge, publicly available databases of Internet-connected devices.
“We know that systems are exposed and vulnerable. We don’t know what the impact would be if somebody actually tried to exploit them,” said Moore, chief research officer at the security firm Rapid7.
U.S. national security experts used to take comfort in the belief that “rational” super powers like China or Russia were their main adversaries in cyber space. These countries may have the ability to destroy critical U.S. infrastructure with the click of a mouse, but they are unlikely to do so, in part because they fear Washington would retaliate.
Now, concerns are growing that “irrational” cyber actors – such as extremist groups, rogue nations or hacker activists – are infiltrating U.S. systems to hunt for security gaps like the one uncovered by Moore.
These adversaries may not be as resourceful, but like Timothy McVeigh’s bombing of an Oklahoma federal building in 1995, it is the element of surprise that is as concerning.
Former U.S. Homeland Security Secretary Michael Chertoff said he was worried the first destructive cyber attack on U.S. soil might resemble the Boston Marathon bombings in the sense that the suspects were not on the government’s radar.
“You are going to get relatively modest-scale, impact attacks from all kinds of folks – hactivists, criminals, whatever,” Chertoff said at the Reuters Cybersecurity Summit last week. “Are they going to take down critical infrastructure? They might.”
Emerging cyber actors that security experts say they are most concerned about include Iran, believed to be behind the ongoing assaults on U.S. banking websites, as well as a devastating attack on some 30,000 PCs at Saudi Arabia’s national oil company last year.
North Korea is also quickly gaining cyber skills, experts say, after hackers took down three South Korean broadcasters and two major banks in March.
Another emerging actor is the Syrian Electronic Army, an activist group that has claimed responsibility for hacking the Twitter accounts of major Western media outlets, such as the Associated Press last month, when its hackers sent a fake tweet about explosions at the White House that briefly sent U.S. stocks plunging.
The U.S. power grid is the target of daily attempted cyber attacks, according to a report by California Representative Henry Waxman and Massachusetts Representative Ed Markey released at the House Energy and Commerce Committee’s cybersecurity hearing on Tuesday.
More than a dozen utilities report daily, constant or frequent attempted attacks, ranging from unfriendly probes to malware infection, according to the report. (To read the report, see http://r.reuters.com/sej38t)
Gerry Cauley, chief executive of the North American Electric Reliability Corp, told the Reuters Cybersecurity Summit that computer viruses have been found in the power grid that could be used to deliver malicious software to damage plants. NERC is a non-profit agency that oversees and ensures the reliability of bulk power system in the region.
Experts say that with so many unknown hackers trying to infiltrate U.S. industrial control systems, they fear someone somewhere – perhaps even an amateur – will intentionally or unintentionally cause damage to power generators, chemical plants, dams or other critical infrastructure. “Even if you don’t know how things actually work, you can still wreak havoc by crashing a device,” said Ruben Santamarta, a senior security consultant with IOActive. “Probably in the near future we may face an incident of this type, where the attackers will not even know what they are doing.”
Santamarta has identified hundreds of Internet-facing control systems — on the grid, at water treatment facilities and heating and ventilation systems for buildings including hospitals. He has also uncovered bugs built into industrial control equipment.
The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, known as ICS-CERT, last week warned of a flaw that Santamarta found in equipment from Germany’s TURCK, which is used by manufacturers and agriculture firms in the United States, Europe and Asia.
The agency said attackers with “low” hacking skills could exploit the flaw, letting them remotely halt industrial processes. It advised customers to install a patch that would protect them against such attacks.
Director of National Intelligence James Clapper told a Senate committee in March that “less advanced, but highly motivated actors” could access some poorly protected control systems. They might cause “significant” damage, he warned, due to unexpected system configurations, mistakes and spillovers that could occur between nodes in networks.