Cybersecurity Professionals Fear Critical Infrastructure Hacks

The health care, water and wastewater, and energy sectors are likely hacking targets according to a Pwnie Express survey of cybersecurity professionals.

Brian Buntz

May 17, 2018

3 Min Read
Image shows programming source code.
Creative abstract PHP web design, internet programming HTML language and digital computer technology business concept: 3D render illustration of the macro view of software source code on screen monitor with selective focus effectThinkstock

Cybercriminals have been ramping up attacks on industrial systems in recent years, but to date, most countries haven’t seen a significant attack on their critical infrastructure. That may change in years to come, based on results from a recent survey from cybersecurity firm Pwnie Express. A full 85 percent of the respondents expected such an attack to hit their nation in the next five years. “The interesting part here is that we found a level of concern extending across categories,” said Todd DeSisto, Pwnie Express chief executive officer, referring to the 16 critical infrastructure sectors defined by the U.S. government. Of those categories, respondents pegged health care, water and wastewater treatment facilities, and the energy sectors as the least prepared for cyberattacks.

The survey, which polled 582 cybersecurity professionals from across the world, also revealed a persistent gap between awareness of the IoT cybersecurity problem versus action to address it. The research found organizations are more than twice as likely to have a security policy for traditional IT devices like PCs and smartphones than they are for IoT technology. Fewer than 50 percent of security professionals were involved in the purchasing approval devices for building-level IoT devices such as connected HVAC systems, industrial IoT devices or consumer-grade IoT products.

DeSisto said this year’s findings were the scariest yet in the firm’s fourth annual “Internet of Evil Things” research series. He sees a growing IoT cybersecurity awareness among cybersecurity professionals, but many are still struggling to translate that concern into action. “But people are struggling with what to do. I think it is because of the complexity of the problem,” DeSisto said. “It is almost like an algebra equation with too many variables in it. You have to take some of the variables out of the equation to be able to solve that complexity.”

In the traditional IT security landscape endpoints were constrained to fairly standardized devices such as PC workstations, laptops and smartphones with a typical life span of a few years. With IoT, on the other hand, deployments tend to vary considerably, extend across an array of application areas and often have connected endpoints that are in use for decades. “With IoT, the environments are in the wild. You could have an oil rig in the middle of the Bering Sea that is now susceptible to nation-state hackers,” DeSisto said. To cite another example, the health care example must contend with the risk of breach to connected medical devices that could include everything from pacemakers to infusion pumps to MRI machines. “Technologies like medical devices are new attack surfaces that, a lot of times, the guys in IT security aren’t thinking about,” DeSisto noted.

The uptick in hacking from nation-state actors is another troubling recent trend. “Critical infrastructure is pretty ripe for them,” DeSisto, pointing to the disruption that last year’s WannaCry ransomware attack did to UK’s National Health Service — especially in England and Scotland — as an example.

Also worrying is the recent uptick on industrial targets and SCADA systems used in industrial and critical infrastructure applications. Cybersecurity researchers recently unveiled a type of malware known as Triton or Trisis that targets Triconex safety instrumented systems from Schneider Electric. Triconex is frequently used in oil-and-gas facilities, nuclear sites and other sensitive infrastructure. “The Triton attack on Schneider is interesting in that it targeted a safety system and sought to disable that,” DeSisto said. This is a markedly different type of attack that does more than attempt to steal sensitive data or extort money from its victims. And based on the recent Pwnie Express survey data, this type of an attack could be a preview of future attacks targeting critical infrastructure. “An attack like that can do more than cost you money or grab your attention,” DeSisto said. “It certainly would indicate that whoever was behind it was looking to do real harm.”

About the Author

Brian Buntz

Brian is a veteran journalist with more than ten years’ experience covering an array of technologies including the Internet of Things, 3-D printing, and cybersecurity. Before coming to Penton and later Informa, he served as the editor-in-chief of UBM’s Qmed where he overhauled the brand’s news coverage and helped to grow the site’s traffic volume dramatically. He had previously held managing editor roles on the company’s medical device technology publications including European Medical Device Technology (EMDT) and Medical Device & Diagnostics Industry (MD+DI), and had served as editor-in-chief of Medical Product Manufacturing News (MPMN).

At UBM, Brian also worked closely with the company’s events group on speaker selection and direction and played an important role in cementing famed futurist Ray Kurzweil as a keynote speaker at the 2016 Medical Design & Manufacturing West event in Anaheim. An article of his was also prominently on kurzweilai.net, a website dedicated to Kurzweil’s ideas.

Multilingual, Brian has an M.A. degree in German from the University of Oklahoma.

Sign Up for the Newsletter
The most up-to-date news and insights into the latest emerging technologies ... delivered right to your inbox!

You May Also Like