CYBERATTACKS rank second only to acts of terror in the current risk landscape compiled by the US Department of Homeland Security (DHS). The number of cybersecurity incidents is on the rise, and businesses of all sizes and in all sectors are at risk.
Klint Walker, cybersecurity advisor for DHS, provided an update on the growing threat during the first day of National Tank Truck Carriers’ Safety & Security Council Annual Meeting held June 18-20 in Ft Lauderdale, Florida. He also discussed ways DHS’s Office of Cybersecurity and Communications can help businesses safeguard their computer networks more effectively.
Cyberspace has become a foundation for the way businesses are managed today, and technology is increasingly essential in our daily lives. Incredible amounts of information and data are now stored online, and government and private sectors are increasingly interlinked domestically and internationally.
The number of cyberattacks on these systems has never been greater, and the sophistication and complexity of these attacks is increasing, according to Walker. “The attackers know your weaknesses,” he said. “They know how to target your operation. They hit when they know it will hurt you worst. Businesses need to develop aggressive strategies to lock down their network systems and eliminate any back-door access.”
In the wake of the terrorist attacks on Sept 11, 2001, DHS developed Protective Security Advisors to focus on cybersecurity issues. The department has stationed 155 PSAs across the United States. They show companies and other organizations how to protect their critical infrastructure.
Walker pointed out that 80% of critical infrastructure is not operated by the federal government. It is in the hands of state and local government and private industry.
DHS has focused on a voluntary approach for its cybersecurity effort. “Several years ago, we added the cybersecurity advisor program,” Walker said. “DHS was concerned about the ability of a hacker sitting at a keyboard a half a world away to attack our critical infrastructure. Currently, there are 1,500 of us in the cybersecurity advisor program.”
He went on to list three categories of incident response: threat response, asset response, and intelligence support.
“FBI is responsible for threat response,” Walker said. “They are there to eliminate the threat. They are there to take the threat out of the picture for everybody. They are supposed to capture the bad guy and put him in jail.
“DHS is focused on asset response. We are not concerned with taking out the threat. Our focus is on protecting the homeland. We’re there to help an operation get back up and functioning as soon as possible.
“Both agencies work together on intelligence support.”
In describing the cybersecurity environment in the United States, Walker said that within industry, there was a time when various operating systems were completely segregated. Many operations, like power plants, used industrial control systems that were not technically part of the internet. Industrial controls include elevators and HVAC systems. Over time we have interconnected everything. Now the IT systems are running the industrial systems. That’s where the biggest threat is today.
Most industries and agencies have gone from not being a target at all to being a number one target for bad actors. “We’ve seen more and more attacks on operations that were once secure—hospitals, police and sheriff departments, and electrical grids,” he said.
Cyberspace is the new foundation for our country. Everybody depends on it. “How many of you have a Nest thermostat?” he asked. “How many of you have a smart TV that gives you Netflix and google? How many of you have a Smart phone? How many of you are connected to your work network through your home phone? How many of you are attached to your work through your home network?
“When you do this, you’ll often bypass all of the IT security system of your company’s network. It’s a backdoor to your employer network. With everything becoming interconnected, it increases the bad guys’ advantage.”
Bad guys are becoming more sophisticated. “What I’m talking about is the lengths they will go to attack your system. They are actually using computer code that has been around for a while. They are casing your system in the same way a robber would case a bank. They are looking at who your business partners are. They are looking several degrees around you—It’s the Kevin Bacon effect. They are looking for someone who has lower security than you do.”
These hackers are particularly sophisticated in that they understand the company’s business processes better than the company managers do. “They are getting into your networks and staying there long-term to determine how to hurt you the most,” he said. “The more things you attach to your system (like smart phones, cameras, location trackers, and all kinds of smart devices), the more surface area that is available for the bad guys to attack you.
“When we are evaluating systems, we are finding that the threat has been in that system an average of 300 days before launching an attack. These hackers look like normal traffic.”
Employees not following security requirements are a company’s biggest threat. It may not be an intentional or malicious act. “Why do you allow your employees to access Amazon or Netflix from company computers or the company network?” Walker asked. “Let them use their own personal devices.”
“This growing sophistication of hackers is the sort of thing that keeps me awake at night,” Walker said. “We in the federal government can no longer defend the cybersecurity of critical infrastructure in this nation by ourselves. We have to do it as a group. We need to share information about an incident to contain it. You need to talk to each other throughout your industry, not just DHS.
“My guess is that most of you use the same sort of IT setup—the same manufacturers, the same hardware and software. So when a hacker creates a virus, why would he attack just one of you when he can go after the entire sector. We’re seeing more of these broad ecosystem attacks.
“We won’t leave you in the dark. You can call DHS at no charge to you for incident response, malware analysis, penetration testing, forensics, up-to-date information on threats and vulnerabilities, software architecture reviews, security assessments. Your IT department needs to be holding at least annual cybersecurity incident response exercises. You’ve got to train, train, train.”
