You are here

US industry too complacent about cyber risks — experts

By Reuters - Jun 01,2014 - Last updated at Jun 01,2014

WASHINGTON — After warning for years that the US electric grid and other critical infrastructure are dangerously vulnerable to hacking, security experts fear it may take a major destructive attack to jolt chief executive officers out of their complacency.

While awareness about cyber-security has increased in recent years, infrastructure consultants say the industry remains reluctant to spend the money needed to upgrade their aging equipment — especially in the absence of much pressure from the US government, regulators or shareholders.

"I'm convinced the C-level executives don't understand the risks they're accepting," Digital Bond Chief Executive Officer Dale Peterson, a leading expert in industrial control systems, told the Reuters Cyber-security Summit in Washington last week.

"These systems are insecure by design," said Peterson. "If they truly understood the risk they were taking, they would find it unacceptable."

Peterson and other security experts say the problem lies with tiny computers known as PLCs, or programmable logic controllers, used to control processes in energy plants, water treatment facilities, factories and other industries. 

The PLCs are designed to blindly obey all commands, regardless of what impact they might have, according to the experts.

To wreak havoc, someone would need only to hack into that system and send malicious instructions to the PLC, such as to cause an explosion at an energy facility or chemical plant, flood a water system, or poison food supply.

Top executives at critical infrastructure companies think of cyber-security as a standard business risk and are reluctant to spend millions of dollars to mitigate that risk, said Stuart McClure, chief executive of cyber-security firm Cylance.

They "can't seem to get out of their own way of paranoia to a point of paralysis”, McClure told the summit. "What government does have to do, unfortunately, is to step in and provide a stick of some sort."

The Obama administration has encouraged industries to test themselves against a newly drafted set of cyber standards, and has encouraged more sharing of information about cyber threats and best practices.

Experts say that is a step in the right direction, but there is still a long way to go. Some urged the Department of Homeland Security to mandate stricter regulations, but the agency does not have that kind of enforcement power.

"I think what they benefit most from is not just hard and fast regulation: 'You shall do it this way’, Department of Homeland Security (DHS) Jeh Johnson said at the summit. "I don't believe that the answer is to regulate standards."

 

Cyber reports
nearly double

 

DHS's Industrial Control Systems Cyber Emergency Response Team says it responded to reports of 256 cyber incidents last year, more than half of them in the energy sector. While that is nearly double the agency's 2012 case load, there was not a single incident that caused a major disruption.

The incidents include hacking into systems through Internet portals exposed over the Web, injecting malicious software through thumb drives, and exploitation of software vulnerabilities, DHS said.

"I fear that things won't change until there is a major attack and people are shocked into taking action," McClure said.

Still, he and several other summit guests said they have noticed an increase in interest in cyber-security following the data breach at Target Corp, which led to the departure of the US retailer's chief executive, Gregg Steinhafel.

"This is ringing bells at the C-suite," said Charles Croom, vice president of cyber-security solutions at Lockheed Martin Corp. "This is just the beginning of a bow wave."

While some security experts hope the government can take a stronger role on cyber-security, some US officials say the private sector needs to step up.

The new head of the National Security Agency, Admiral Mike Rogers, said he hopes industry and the government can work quickly enough to improve communication about emerging cyber threats and prevent catastrophes.

"I don't want a major disaster being the driver that pushes us," Rogers told the summit.

up
11 users have voted.


Newsletter

Get top stories and blog posts emailed to you each day.

PDF