Former U.S. Secretary of Defense Leon Panetta may have been bartering in hyperbole when warned of a possible "cyber Pearl Harbor" last year. However, as new research has found, there are a number of serious weak spots -- vulnerable to hacking -- scattered throughout crucial U.S. infrastructure.
"Adam Crain, Chris Sistrunk and Adam Todorski, who are working with industrial consultants Automatak, found 25 zero-day vulnerabilities – flaws which have never before been seen in the wild – in the protocol by which power plants and other parts of the electricity grid communicate internally," the Guardian noted Thursday.
The network is not Internet-connected, so it's not a traditional hacking risk, but the newly discovered vulnerabilities are nonetheless reason for concern, the researchers suggest. “If someone tries to breach the control center through the internet, they have to bypass layers of firewalls ... But someone could go out to a remote substation that has very little physical security and get on the network and take out hundreds of substations potentially. And they don’t necessarily have to get into the substation either," said Crain.
A study early this year found that critical infrastructure was also vulnerable to common spearphishing cyberattacks -- the bread-and-butter hack to get into another individual's computer system, based, as it is, on human vulnerability.
In a demonstration in January to test the vulnerability to such an attack at power plants and oil pipelines, Tyler Klinger, a security researcher at Critical Intelligence, sent targeted emails -- the sort that might conceal a spearphish -- to control room supervisors and engineers. The emails were easily accessible through LinkedIn and sales team contact sites.
“The hit rate was enough to make you shudder: Some 26 percent of employees who work closely with industrial control systems fell victim to the attack … among their job titles were: a control room supervisor, a pipeline controller, an automation technician, a process controls engineer and a senior vice president for operations and maintenance.” An attacker would then have the ability to observe all the actions — passwords, codes and all — carried out on the computer of these employees who regularly access aspects of the nation’s critical infrastructure.