Potential Attacks on Critical Infrastructure

If 2014 was the year of data breaches, it is quite possible that 2015 will be the year that we start to see attacks on critical infrastructure begin in earnest.

Yes, there have already been a few publicized attacks of that variety. And I believe there have been quite a few more that have never been publicized.

But, all signs indicate that attacks by nation-states and anarchists (and even our own governments through agencies like the NSA in the United States) against the types of infrastructure that make modern life what it is will increase and pose a serious threat to individual citizens.

Today, I’ll focus on cyber threats. But, in coming weeks I’ll discuss economic threats as well.

As you know, one of my favorite investigative reporters in the cyber world is Kim Zetter. Zetter is out with a succinct list of potential cyber threats that’s worth a gander.

The report is aptly titled, “The Biggest Security Threats We’ll Face in 2015,” and while I encourage you to read the entire piece, here are a few highlights culminating with the critical infrastructure aspect that I want to emphasize today.

“Nation-State Attacks: We closed 2014 with new revelations about one of the most significant hacks the NSA and its partnering spy agency, the UK’s GCHQ, are known to have committed. That hack involved Belgium’s partly state-owned telecom Belgacom…New revelations about the Regin malware used in the hack, however, show how the attackers also sought to hijack entire telecom networks outside of Belgium so they could take control of base stations and monitor users or intercept communications…These and other efforts the NSA has employed to undermine encryption and install backdoors in systems remain the biggest security threat that computer users face in general.” [emphasis added]

“Extortion: Controversy still swirls around the Sony hack and the motivation for that breach. But whether the hackers breached Sony’s system to extort money or a promise to shelve The Interview, hacker shakedowns are likely to occur again. The Sony hack wasn’t the first hacker extortion we’ve seen. But most of them until now have occurred on a small scale—using so-called ransomware that encrypts a hard drive or locks a user or corporation out of their data or system until money is paid…This kind of hack requires more skill than low-level ransomware attacks, but could become a bigger problem for prominent targets like Sony that have a lot to lose with a data leak.” [emphasis added]

“Data-Destruction: The Sony hack announced another kind of threat we haven’t seen much in the U.S.: the data destruction threat. This could become more common in 2015. The attackers behind the breach of Sony Pictures Entertainment didn’t just steal data from the company; they also deleted it…Good data backups can prevent an attack like this from being a major disaster. But rebuilding systems that are wiped like this is still time-consuming and expensive, and you have to make sure that the backups you restore are thoroughly disinfected so that lingering malware won’t re-wipe systems once restored.” [emphasis added]

“Bank Card Breaches Will Continue: In the last decade there have been numerous high-profile breaches involving the theft of data from millions of bank cards—TJX, Barnes and Noble, Target and Home Depot to name a few. Some of these involved hacking the point-of-sale systems inside a store to steal card data as it traversed a retailer’s network; others, like the Barnes and Noble hack, involved skimmers installed on card readers to siphon card data as soon as the card was swiped…Though card issuers are slowly replacing old bank cards with new EMV cards, retailers have until October 2015 to install new readers that can handle the cards, after which they’ll be liable for any fraudulent transactions that occur on cards stolen where the readers are not installed. Retailers no doubt will drag their feet on adopting the new technology, and card numbers stolen from older DNV cards can still be used for fraudulent online purchases that don’t require a PIN or security code. There’s also a problem with poor implementation; cards stolen in the recent Home Depot hack show that hackers were able to exploit chip-‘n’-PIN processing systems because they were poorly implemented. With the shift to EMV cards, hackers will simply shift their focus.” [emphasis added]

“Third-Party Breaches: In recent years we’ve seen a disturbing trend in so-called third-party hacks, breaches that focus on one company or service solely for the purpose of obtaining data or access to a more important target…A breach of a certificate authority—such as one involving a Hungarian certificate authority in 2011—provides hackers with the ability to obtain seemingly legitimate certificates to sign malware and make it look like legitimate software. Similarly, a breach of Adobe in 2012 gave the attackers access to the company’s code-signing server, which they used to sign their malware with a valid Adobe certificate…These kinds of breaches are significant because they undermine the basic trust that users have in the internet’s infrastructure.” [emphasis added]

And here’s the one I really want you to pay attention to—

“Critical Infrastructure: Until now, the most serious breach of critical infrastructure we’ve seen occurred overseas in Iran when Stuxnet was used to sabotage that country’s uranium enrichment program. But the days when critical infrastructure in the U.S. will remain untouched are probably drawing to a close. One sign that hackers are looking at industrial control systems in the U.S. is a breach that occurred in 2012 against Telvent, a maker of smart-grid control software used in portions of the U.S. electrical grid as well as in some oil and gas pipeline and water systems. The hackers gained access to project files for the company’s SCADA system. Vendors like Telvent use project files to program the industrial control systems of customers and have full rights to modify anything in a customer’s system through these files. Infected project files were one of the methods that Stuxnet used to gain access to Iran’s uranium-enrichment systems. Hackers can use project files to infect customers or use the access that companies like Telvent have to customer networks to study the customer’s operations for vulnerabilities and gain remote access to their control networks. Just like hackers used third-party systems to gain access to Target, it’s only a matter of time before they use companies like Telvent to gain access to critical industrial controls—if they haven’t already.” [emphasis added]

OK. There’s a broad overview of cyber threats. I encourage you to read the entire piece, but those highlights give you a flavor of what we may be facing.

And it’s the Critical Infrastructure threat that should concern us the most. After all, replacing credit cards after a hack like Target is an annoyance – a big annoyance. And identity theft is a serious crime that I work to combat as a security professional every day.

But, if hackers can take over portions of a nation’s electrical grid, or a nuclear power plant, or oil and gas pipelines, or the water supply, or the interconnectivity of the financial network, or – well, you get the point.

The reality is a successful attack against Critical Infrastructure could bring the United States – or any other country – to a standstill for enough time to create panic, chaos and, potentially, anarchy.

So I pose to you the question that I repeat so often: Are you and your loved ones self-reliant enough to live on your own – without the assistance of the government or critical infrastructure like electricity and water – for an extended period of time?

I hope so. I really hope so. Because as I’ve documented many times before, there is a significant chance that in your lifetime you will have to do so.

OK. Enough of my thoughts. What do you think?

Email me at [email protected] and let me know if you believe there are significant threats to our nation’s infrastructure.

I look forward to your comments.

Be safe, secure and free!

Rob Douglas – Former Washington DC Private Detective

PS – For a recent example of what can happen when hackers take control of an industrial facility, check out “Cyber Attack Causes Physical Damage at German Iron Plant.”