President Obama has declared December National Critical Infrastructure Month, calling upon the people of the United States to recognize the importance of protecting our Nation’s critical resources and to observe this month with appropriate events and training to enhance our national security and resilience.
Just in time, too. According to recent news, it was suspected that foreign hackers were attacking U.S. water plans in an attempt to disrupt services. Experts warned that this could be one of the first know attacks on the utilities systems that Americans rely on every day. Nearly 85 percent of the nation’s critical infrastructure – utilities, transportation systems, communications systems, airports, transmission lines, etc. – is owned by the private sector. And our fellow citizens on the commercial side of the American economy have had plenty of warning that they need to improve their cyber security.
Since this initial report, the Homeland Security Department announced that the Illinois pump failure wasn’t because of a cyber attack; instead, a contractor on travel in Russia logged into the system remotely, and accidentally caused the pump to burn out.
Meanwhile, a water plant in Texas was hacked, and the 20-something hacker popped up online to take credit for it, claiming he’d done it to demonstrate just how vulnerable these kinds of systems are to attack. The hacker said the water plant’s supervisory control and data acquisition (SCADA) system had a three-character password! Strong passwords is just one of the basic security requirements that must be required.
Most recently, a news story stated that the FBI’s cyber security division reported at a conference in London that SCADA systems in three U.S. cities have been penetrated recently. Michael Welch, deputy assistant director of the FBI unit, didn’t identify the cities.
The importance of securing SCADA systems that connect directly to the Internet isn’t new yet U.S systems still remain vulnerable to attack. Without the necessary and extremely critical security controls in place to detect, protect and remediate threats, we are at risk.
Both public and private sector must work together to ensure that the correct processes are in place and that regular monitoring, detection and prevention tools are an integrated part of managing systems that connect into the Internet.