You read about it in spy novels. You hear cybersecurity experts warn about it. You might even see commentary about it on this very blog. No matter where you are in the United States, the notion of our nation’s infrastructure could be the next big target for terrorists. It’s a scary notion, but scarier still when you discover that the energy sector is currently under assault by hackers in multiple Western countries.
Now there’s no need to panic just yet, but there is cause for concern. Security experts warn that industrial systems are wide open to potential exploits once hackers gain a foothold inside a targeted system, using phishing scams or similar techniques. Several U.S. energy companies were sent phishing emails as part of a campaign aimed at stealing credentials. Now, if you are curious as to exactly how this is done, it may surprise you how simple this “infiltration” is. Malicious hackers pretend they are the IT department and approach random associates, and inform them that there are problems in the email infrastructure, login issues to their web portal, or some such. Recipients of these emails are asked to log in to the local Intranet through a special URL, but this URL is the hook used to reel in credentials. Once people login and give their login credentials, bingo, hackers have the keys to the castle. You may think this is far too easy, but there’s a reason phishing is so popular with hackers. People still fall for this. A lot of energy companies have fell for phishing campaigns aimed at their employees, and security analysts see a trend in this sector.
While nothing damaging has happened to date, the whole threat of attacks on the energy sector has ratcheted up. Back in 2014, unknown attackers infected the industrial control system of a German Steel Mill. They caused an unscheduled shutdown of a blast furnace that resulted in significant damage. That is where they can go into an infrastructure system. In 2015, Russian attackers, using primarily open-source toolkits, managed to attack Ukrainian distribution system, and they interrupted power in Kiev for up to 225,000 customers for several hours; and then in 2016, malware used in that 2015 attack was employed in an attack Industrial Control Systems associated with power grids. In other words, Ukraine was the test case. Not only does it have the capability to delete data and disrupt IT systems, it also has the capability to physically damage ICS systems.
Up to date patching and the use of artificial intelligence designed to identify these things has been shown to be the long term solution, but right now we are vulnerable. A report on the Industrial Control Systems by the Kaspersky Lab found that were 17,000 Industrial Control Systems components on 13,00 different hosts that were exposed to the internet without security.
These organizations include energy, transportation, aerospace, oil and gas, chemicals, automotive and manufacturing, food and service, governmental, financial and medical institutions. The deep-rooted fear is that sleeper software is being installed as we speak, as you read this blog, and it could be triggered to bring down the infrastructure.
This may sound like something akin to clickbait or fear-mongering, but this is not specuylation. This is a threat. Something very real is going on here, and we need to be careful.
A research physicist who has become an entrepreneur and educational leader, and an expert on competency-based education, critical thinking in the classroom, curriculum development, and education management, Dr. Richard Shurtz is the president and chief executive officer of Stratford University. He has published over 30 technical publications, holds 15 patents, and is host of the weekly radio show, Tech Talk. A noted expert on competency-based education, Dr. Shurtz has conducted numerous workshops and seminars for educators in Jamaica, Egypt, India, and China, and has established academic partnerships in China, India, Sri Lanka, Kurdistan, Malaysia, and Canada.