Howard Schmidt at Evolve 2013.
Critical infrastructure operators remain vulnerable to attack from hackers whose motivations have matured from the “pretty juvenile” wanton vandalism of the 1990s to the aggressive, targeted and financially-motivated cyber war being waged online today, a one-time senior security advisor to the US president has warned.
Noting the popularity of early website defacement and DDoS attacks by hackers, Howard Schmidt – a cyber security coordinator who previously served as special assistant to the president – said what was a “tremendous annoyance” a decade ago had become a significant threat both as hackers grew more sophisticated, and as society’s dependence on critical infrastructure increased.
Protection of that infrastructure, however, had not kept up with technological advancements – leaving a significant security gap that persists despite growing awareness of state-sponsored attacks and threats from ever more-motivated attackers.
“SCADA and industrial control systems were never fashioned to operate in a secure environment,” Schmidt said via videoconference to the Evolve 2013 security conference in Melbourne today.
“There was no need for authentication or encryption because they didn’t have that connective tissue [the Internet] we see today. But now we have a tremendous dependency on this technology – and we’re seeing those shortcomings not only being researched, but almost being commercialised. To this day, there is still a lack of understanding of how the entire system works as one.”
Trend Micro chief technology officer Raimund Genes relayed the experience of a team of researchers who had decided to test just how appealing an Internet-connected industrial system was.
The researchers set up a dummy water pressure control station with a setup that included realistic industrial controllers, then “accidentally” left it connected to the Internet, as happens for real in many real-world industrial installations.
“You’d be surprised how many of these systems are connected to the Internet by accident,” Genes said. “Otherwise you have two management consoles, with an operator getting instructions from a console and retyping the command into the operational system. But people are lazy.”
Within 36 hours, the dummy installation was being pounded by hackers launching “aggressive attacks” from around the world.
Interestingly, Genes said, different countries showed different attack patterns: while the Chinese mainly poked and prodded the systems, he said, American hackers spun up the spinning frequency of the water pumps – and Laotian hackers “wanted to kill the system”.
“Australia was not in the picture,” German-born Genes laughed. “You might be the nicest guys in the world, or the most clever ones.”
Therein lies the rub, Schmidt said: with so many different hackers and motivations in the world, there is no single attack profile to defend against – and no way to predict what might come next. “How much of your security investment do you have in dealing with criminals and nation states, as opposed to repelling clever hobbyists?” he asked. “The people exploiting these things are dedicated people whose sole motivation in many cases is financial gain.”
“Their motivation is selling their services to the highest bidder – and it doesn’t make any difference whether it’s an oppressive regime or a democratic country where they think they can make some money off the defence and intelligence infrastructure.”
Such risks formed the substance of many discussions during Schmidt’s tenure as presidential security advisor, where low-level security issues came head to head with the broader implications of a society that was becoming increasingly dependent on ever more-automated and IP-connected cars, traffic grids, airplanes, pacemakers and more.
“There can be tremendous benefits and uses to all of us as citizens, but without proper engineering, design and implementation they become a vulnerability that will affect all of us,” he said, noting that today’s hackers “are relentless and persistent, and they’re not going away.”
“As we’ve seen every step along the way, when we do a better job securing systems, the hackers will move it to the next level. The persistent threats that are out there are not going to just stop, and the hackers say ‘OK, the security professionals have won and we give up’. They’re going to continue to look to exploit systems, and continue to hit whatever we do.”