Critical Infrastructure Vulnerable To Attack, NSA Deputy Director Says

David Vergun at the Army News Service offers the below piece:

WEST POINT, N.Y., April 21, 2016 — Strong dependence on industrial control systems, or ICS, is a serious vulnerability for industry, the National Security Agency’s deputy director said here yesterday.

"There's no doubt that Chinese military planners understand the importance of industrial control systems and the critical infrastructure they control," Richard H. Ledgett Jr. (seen in the above DoD released photo) said in his keynote address during a dinner at the Joint Service Academy Cyber Security Summit at the U.S. Military Academy.

Security Threat Inadequately Addressed

Historically, ICS has been strong because of its obscurity, he explained, calling it "weird software with proprietary systems."

But over time, ICS has become less obscure, and providers, working on thin profit margins, haven't adequately addressed the security threat, he said. "Adversaries are seeing what they can get by compromising those industrial control systems," he added.

In 2007, Idaho National Laboratory ran the Aurora Generator experiment, which demonstrated that the electric grid could be compromised. There are other notable examples, he said.

"You don't need to cause physical harm to affect critical infrastructure assets," Ledgett pointed out. For instance, he said, remote hackers using stolen credentials caused a Ukrainian blackout about four months ago that took down the country’s entire power grid.

"These are all fairly significant events," he said. "We're seeing more and more of that by adversaries."

Internet of Things

More and more devices are being connected to the Internet, Ledgett noted. Some 6.4 billion things worldwide will be connected by the Internet this year, he said, and by 2020, that number will be about 20.8 billion. The challenge is identifying emerging risks and vulnerabilities that come about with the introduction of new hardware and software, he said.

"Any system is only as strong as its weakest link," Ledgett said. Most types of devices connected to the Internet are built with differing security profiles and updated on differing timescales, and every time it's updated, that's another opportunity for a security vulnerability, he added.

Cybercrime is one example, Ledgett said. A million pieces of malware come out every day, he said, and 1.5 million criminal cyber events take place every year.

"Today, anyone with a computer and a fairly decent level of knowledge and an Internet connection can pose a very serious threat to an individual, a business, a city and a foreign nation," he said.

The Joint Service Academy Cyber Security Summit was co-hosted by the Army Cyber Institute and Palo Alto Networks.