Critical Infrastructure Vulnerable to Attack
Vulnerable to Attack, NSA Leader Says
By David Vergun, Army News
West Point, New York — (ANS)
— April 21, 2016 — Strong dependence on industrial control systems, or ICS, is a
serious vulnerability for industry, the National Security Agency’s deputy
director said here yesterday.
"There's no doubt that Chinese military planners understand
the importance of industrial control systems and the critical infrastructure
they control," Richard H. Ledgett Jr. said in his keynote address during a
dinner at the Joint Service Academy Cyber Security Summit at the U.S. Military
Richard H. Ledgett Jr., deputy director
of the National Security Agency, delivers the keynote address during a dinner at
the Joint Service Academy Cyber Security Summit at the U.S. Military Academy in
West Point, N.Y., April 20, 2016. DoD photo by David Vergun.
Security Threat Inadequately Addressed
Historically, ICS has been strong because of its obscurity,
he explained, calling it "weird software with proprietary systems."
But over time, ICS has become less obscure, and providers,
working on thin profit margins, haven't adequately addressed the security threat,
he said. "Adversaries are seeing what they can get by compromising those
industrial control systems," he added.
In 2007, Idaho National Laboratory ran the Aurora Generator
experiment, which demonstrated that the electric grid could be compromised.
There are other notable examples, he said.
"You don't need to cause physical harm to affect critical
infrastructure assets," Ledgett pointed out. For instance, he said, remote
hackers using stolen credentials caused a Ukrainian blackout about four months
ago that took down the country’s entire power grid.
"These are all fairly significant events," he said. "We're
seeing more and more of that by adversaries."
Internet of Things
More and more devices are being connected to the Internet,
Ledgett noted. Some 6.4 billion things worldwide will be connected by the
Internet this year, he said, and by 2020, that number will be about 20.8
billion. The challenge is identifying emerging risks and vulnerabilities that
come about with the introduction of new hardware and software, he said.
"Any system is only as strong as its weakest link," Ledgett
said. Most types of devices connected to the Internet are built with differing
security profiles and updated on differing timescales, and every time it's
updated, that's another opportunity for a security vulnerability, he added.
Cybercrime is one example, Ledgett said. A million pieces of
malware come out every day, he said, and 1.5 million criminal cyber events take
place every year.
"Today, anyone with a computer and a fairly decent level of
knowledge and an Internet connection can pose a very serious threat to an
individual, a business, a city and a foreign nation," he said.
The Joint Service Academy Cyber Security Summit was co-hosted
by the Army Cyber Institute and Palo Alto Networks.