This site may earn affiliate commissions from the links on this page. Terms of use.

Is our infrastructure vulnerable to hackers? The short answer to the question, unfortunately, is yep. But it's not like no one is thinking most the issue or doing anything about it. As with the dire predictions of Y2K meltdowns from the turn of the millennium, while there are definite and potentially huge risks, both the public and private sectors are working to mitigate them.

Power filigree and utility vulnerability

The Ukraine ability grid assail in December 2015 was a sobering wake-up telephone call of the extent of what is possible. In that event, which some security experts have called cunning and brilliant, the hackers planned the set on by infiltrating the power utility systems over a period of months. Using some one-time-school exploits similar Microsoft Word file attachments with an infected macro that downloaded malware, and conscientious infiltration of the network stealing remote login credentials over time, the hackers were able to get control of the organization to ultimately close off power to 230,000 people in a common cold winter.

The good news is that manual overrides were able to plow the power back on relatively chop-chop, but some parts of the Ukraine grid took longer to render. Russian federation is suspected to be backside that assault, given the tensions in the region, simply the cyberwarfare world has both state and non-state actors. Russia, China, Israel, Iran, North korea, and the Us all have cyber units, and terrorist groups similar ISIS and many other lesser known groups accept engaged in cyberattacks for coercive, monetary, or political motives.

Role of the risk in cyber intrusions on infrastructure is the connection of these systems to the net. Many ICS/SCADA (Industrial Control Systems/Supervisory Command and Data Conquering) systems are based on older engineering. The grafting of internet and networking capabilities to these systems enable remote monitoring and control, and sometimes stop-client admission to utility usage and billing information. Sometimes, these newer forms of access are not fairly shielded from systems that control vital aspects of the utilities.

A example in point involved a Verizon written report of a data breach at an unnamed water utility in the US in March. That utility's SCADA platform was based on an IBM Equally/400 minicomputer, a 1980s era organization, and incorporated valve period and control software as well every bit Information technology applications like customer billing. The system was continued to an end-customer online payment portal. Hackers exploited a flaw in the portal to gain access to the AS/400 admin credentials, essentially gaining control over almost all of its applications.

Security cryptography

Aside from stealing 2.5 million client account records, including billing data, what's more frightening is that the hackers were able to proceeds control over the valve and flow software. They were able to control the chemicals in water treatment and affect the rate at which water was returned for usage. Fortunately, other indicators alerted the h2o utility'south staff of what was happening and that the system was overridden. But information technology's articulate that if a serial of coordinated attacks were done on vital systems, the havoc would not exist easy to contain.

Interestingly plenty, some of these problems can be ameliorated by simply amend use of existing technology. For case, many remote or VPN logins don't use two-factor authentication – something increasingly deployed now on many consumer-facing services. This could assistance thwart many situations of hackers halfway around the world stealing passwords via various known means. Part of the reason is that, in many cases, locally run utilities have regulated rates and limited budgets, and ofttimes software upgrades are put off. The "if it ain't broken, don't fix it" mentality can filibuster necessary security improvements, especially when modifying older technology that may introduce new issues.

Another assaulter exploit being discovered is infecting the software upgrade mechanisms of ICS/SCADA vendors. Just like Windows Update, these vendors accept either transmission or automatic firmware and software upgrade mechanisms. So rather than intermission into a specific system, a hacker could plant malware in a software update. That malware may lurk in systems for months or years, gear up to be triggered past some specific attack or time-based issue.

Smart cities and other infrastructure concerns

H2o and electric infrastructure may be particularly vulnerable due to the age of the systems and the universal dependence on these services. But obviously other infrastructure of critical importance may be equally vulnerable – transportation, energy, communications, and healthcare are others. In that location have been well publicized cases of ransomware attacks on hospital health record systems. While in several of those cases, the hospitals have chop-chop paid up relatively small sums (compared with the cost of not having their system back), in a cyberwar scenario the effects could be far costlier and deadlier. The Department of Transportation lacks a coherent cybersecurity strategy. With the button for smarter cities, more net-connected metropolis information and services, and a looming hereafter of autonomous cars, the importance of best practices and standards for cybersecurity in transportation is increasing exponentially.A smart city

The Stuxnet worm virus, reported developed past Israel and the United states, is said to have severely slowed Iran's uranium enrichment development for a nuclear weapon. It is one of the best-known cases of states using cyber capabilities as an alternative to physical set on to reach an objective. We should exist mindful that our ain nuclear energy infrastructure needs to exist better protected. A recent written report indicates that attacks on U.S. non-military machine nuclear systems are increasing. Role of the problem is that there are contracts with vendors that bargain with maintaining security, but many of these exercise not go into enough item about monitoring, reporting, and functioning metrics. Nuclear energy is heavily regulated, and security has always been taken seriously. Merely it is as well an industry with aging infrastructure, and the same budget bug that apply to other utility infrastructure use here every bit well.

Does all of this audio scary? It is, merely the threats are being taken seriously. In this presidential ballot season, fifty-fifty the voting systems are also being considered. Considering the recent Democratic National Committee hacks, the Department of Homeland Security is looking into ways the election infrastructure tin can be better protected. Some of the concern comes from increasing employ of wireless applied science in voting machines to tabulate and aggregate voting information. It is a complicated job, with over 9,000 jurisdictions controlling voting across the country. But understanding potential threats and security all-time practices tin can limit the possibility of tampering with the system. Regardless of the severity of potential consequences, it's impossible to protect against every threat, in either the cyber or concrete world.

In fourth dimension for Blackness Hat and DEFCON, we're roofing security, cyberwar, and online crime all this week; check out the remainder of our Security Week stories for more in-depth coverage.