The U.S. government, finally realizing that it has to take action to ensure a minimum level of cybersecurity in networks that manage the nation’s energy, water and financial services, presented the Framework for Improving Critical Infrastructure Security on Wednesday. The document, which was put together by industry and government experts, is a compilation of cybersecurity standards and best practices; it is the result of the year-old Executive Order 13636, under which President Barack Obama directed operators of critical infrastructure to provide guidance for defending their networks.
“While I believe today’s Framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity,” Obama said in a statement. “America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet.”
The 41-page document describes itself as a complement to industries’ existing risk management practices. What remains to be seen is whether this “guidance” will make firms that have minimal safeguards in place immediately take action to update or reconfigure their systems. Something tells me that a book of suggestions without force of law will not do the trick.
Industrial Control Systems Unguarded
Security researchers have been taking creators of industrial control systems and devices like programmable logic controllers to task for the abject lack of security controls that would prevent networks and the facilities they run to be taken over by hackers. But many products and systems remain insecure. That was the focus of a talk by researcher Jonathan Pollet, founder of Red Tiger Security, at the Kaspersky Security Analyst Summit in Punta Cana, Dominican Republic, on Tuesday.
Referring to the maddening state of play in industrial cybersecurity, he said, “It’s like hacking in the 1980s and 1990s,” when IT software and hardware vendors typically buried their heads in the sand, hoping that researchers presenting vulnerability reports would eventually go away if the companies ignored them long enough. According to a Kaspersky Threatpost article, Pollet recalls, “being at a Texas amusement park recently and the ride he was waiting for was malfunctioning. The operator told him the ride used a Siemens PLC as part of the control system, so he went home, got his laptop, returned and was able to debug the software, find the problem and fix it and get the ride going again.”
Did he have credentials giving him access to the system? No. Did he face much difficulty in reconfiguring the control system for a machine that thousands of people would ride that same day? Nope. Now imagine that scenario if Pollet’s intentions had been nefarious.
That anecdote was but one example of the widespread lack of authentication, failure to use encryption, and lack of monitoring in critical systems—even after security holes are reported. Pollet said that when he does hear from industrial control and automation vendors, they present excuses such as protocols aren’t ready or that security is difficult to build in.
“All these excuses aren’t really excuses,” he said during his talk. “With the current software and hardware we have, there’s no reason we can’t have these systems secured.”
Automakers Keep Cybersecurity Discussions in Park
In another talk at this week’s Kaspersky Security Analyst Summit, security researchers Charlie Miller and Chris Valasek reported that a year after they published a detailed paper showing a series of cyberattacks that enabled them to control the steering, braking and other functions in some cars, they’ve heard nary a word from automakers about the exploits. In other words, Miller and Valasek have had neither the opportunity to explain which weakness the attacks take advantage of, nor the chance to help design systems to prevent or at least detect intrusions. Miller, referring to the automobile manufacturers, said, “We have no idea what they’re doing. They could be building something, but it could be years down the line.”
By the Power Vested In Me by Me, Myself, and I…
Dozens of phony SSL certificates spoofing legitimate ones for banks, e-commerce sites, ISPs, and social networks, were discovered this week. The unsigned certificates could put people who use apps or other software that access the Internet—but don’t necessarily check the legitimacy of SSL certificates—at risk for man-in-the-middle attacks. Netcraft, a British security firm, provided details about the bogus certs on its blog.
Apparently the various certificates have different purposes. For example, a fake YouTube cert blocked residents of Pakistan from accessing the site, a phony iTunes cert was a linchpin in an online scam, and a fraudulent Facebook cert redirected users to a phishing site.
In Other Cybercrime News…
- Hackers Circulate Thousands of FTP Credentials—Including Those Providing Access to the New York Times' network
- Attackers Use Network Time Protocol Server Vulnerability to Pull Off Huge DDoS Attack
Willie Jones is an associate editor at IEEE Spectrum. In addition to editing and planning daily coverage, he manages several of Spectrum's newsletters and contributes regularly to the monthly Big Picture section that appears in the print edition.