http://www.extremetech.com/extreme/233017-hacking-us-infrast
ructure-how-vulnerable-is-it


Hacking US infrastructure: How vulnerable is it?

   - By Ben Algaze <http://www.extremetech.com/author/balgaze> on August 4,
   2016
   - Hacker News

[image: Description:
484276-the-best-infrastructure-management-services-of-2015]

Is our infrastructure vulnerable to hackers? The short answer to the
question, unfortunately, is yes. But it’s not like no one is thinking about
the issue or doing anything about it. As with the dire predictions of Y2K
meltdowns from the turn of the millennium, while there are definite and
potentially huge risks, both the public and private sectors are working to
mitigate them.
Power grid and utility vulnerability

The Ukraine power grid attack in December 2015 was a sobering wake-up call
of the extent of what is possible. In that event, which some security
experts have called cunning and brilliant
<https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/>,
the hackers planned the attack by infiltrating the power utility systems
over a period of months. Using some old-school exploits like Microsoft Word
file attachments with an infected macro that downloaded malware, and
careful infiltration of the network stealing remote login credentials over
time, the hackers were able to get control of the system to ultimately shut
off power to 230,000 people in a cold winter.

The good news is that manual overrides were able to turn the power back on
relatively quickly, but some parts of the Ukraine grid took longer to
return. Russia is suspected to be behind that attack, given the tensions in
the region, but the cyberwarfare world has both state and non-state actors.
Russia, China, Israel, Iran, North Korea, and the US all have cyber units,
and terrorist groups like ISIS and many other lesser known groups have
engaged in cyberattacks for coercive, monetary, or political motives.

Part of the risk in cyber intrusions on infrastructure is the connection of
these systems to the internet. Many ICS/SCADA (Industrial Control
Systems/Supervisory Control and Data Acquisition) systems are based on
older technology. The grafting of internet and networking capabilities to
these systems enable remote monitoring and control, and sometimes
end-customer access to utility usage and billing data. Sometimes, these
newer forms of access are not adequately shielded from systems that control
vital aspects of the utilities.

A case in point involved a Verizon report of a data breach
<http://www.securityweek.com/attackers-alter-water-treatment-systems-utility-hack-report>
at an unnamed water utility in the US in March. That utility’s SCADA
platform was based on an IBM AS/400 minicomputer, a 1980s era system, and
incorporated valve flow and control software as well as IT applications
like customer billing. The system was connected to an end-customer online
payment portal. Hackers exploited a flaw in the portal to gain access to
the AS/400 admin credentials, essentially gaining control over almost all
of its applications.

Aside from stealing 2.5 million customer account records, including billing
information, what’s more frightening is that the hackers were able to gain
control over the valve and flow software. They were able to control the
chemicals in water treatment and affect the rate at which water was
returned for usage. Fortunately, other indicators alerted the water
utility’s staff of what was happening and that the system was overridden.
But it’s clear that if a series of coordinated attacks were done on vital
systems, the havoc would not be easy to contain.

Interestingly enough, some of these issues can be ameliorated by simply
better use of existing technology. For example, many remote or VPN logins
don’t use two-factor authentication – something increasingly deployed now
on many consumer-facing services. This could help thwart many situations of
hackers halfway around the world stealing passwords via various known
means. Part of the reason is that, in many cases, locally run utilities
have regulated rates and limited budgets, and often software upgrades are
put off. The “if it ain’t broken, don’t fix it” mentality can delay
necessary security improvements, especially when modifying older technology
that may introduce new issues.

Another attacker exploit being discovered is infecting the software upgrade
mechanisms of ICS/SCADA vendors. Just like Windows Update, these vendors
have either manual or automated firmware and software upgrade mechanisms.
So rather than break into a specific system, a hacker could plant malware
in a software update. That malware may lurk in systems for months or years,
ready to be triggered by some specific attack or time-based event.
Smart cities and other infrastructure concerns

Water and electric infrastructure may be particularly vulnerable due to the
age of the systems and the universal dependence on these services. But
obviously other infrastructure of critical importance may be equally
vulnerable – transportation, energy, communications, and healthcare are
others. There have been well publicized cases of ransomware attacks
<http://www.pcmag.com/news/343184/another-hospital-falls-victim-to-ransomware>
on hospital health record systems. While in several of those cases, the
hospitals have quickly paid up relatively small sums (compared with the
cost of not having their system back), in a cyberwar scenario the effects
could be far costlier and deadlier. The Department of Transportation lacks
a coherent cybersecurity strategy. With the push for smarter cities
<http://www.extremetech.com/extreme/226739-how-smart-cities-will-work>,
more internet-connected city information and services, and a looming future
of autonomous cars, the importance of best practices and standards for
cybersecurity in transportation is increasing exponentially.

The Stuxnet <http://www.extremetech.com/tag/stuxnet> worm virus, reported
developed by Israel and the US, is said to have severely slowed Iran’s uranium
enrichment development
<http://www.extremetech.com/computing/130325-confirmed-us-and-israel-waged-cyberwar-on-iran>
for a nuclear weapon. It is one of the best-known cases of states using
cyber capabilities as an alternative to physical attack to reach an
objective. We should be mindful that our own nuclear energy infrastructure
needs to be better protected. A recent report
<http://www.nbcnews.com/news/us-news/nuclear-computers-especially-vulnerable-cyberattacks-rise-watchdog-says-n495156>
indicates that attacks on U.S. non-military nuclear systems are increasing.
Part of the problem is that there are contracts with vendors that deal with
maintaining security, but many of these do not go into enough detail about
monitoring, reporting, and performance metrics. Nuclear energy is heavily
regulated, and security has always been taken seriously. But it is also an
industry with aging infrastructure, and the same budget issues that apply
to other utility infrastructure apply here as well.

Does all of this sound scary? It is, but the threats are being taken
seriously. In this presidential election season, even the voting systems
are also being considered. Considering the recent Democratic National
Committee hacks
<http://www.extremetech.com/internet/232307-fbi-cybersecurity-experts-investigating-potential-russian-ties-to-dnc-email-leak>,
the Department of Homeland Security is looking into ways
<https://www.buzzfeed.com/johnstanton/homeland-security-chief-concerned-hackers-could-infiltrate-v?utm_term=.seRjNQdRm#.jnRJe78xW>
the election infrastructure can be better protected. Some of the concern
comes from increasing use of wireless technology in voting machines to
tabulate and aggregate voting data. It is a complicated task, with over
9,000 jurisdictions controlling voting across the country. But
understanding potential threats and security best practices can limit the
possibility of tampering with the system. Regardless of the severity of
potential consequences, it’s impossible to protect against every threat, in
either the cyber or physical world.

In time for Black Hat and DEFCON, we’re covering security, cyberwar, and
online crime all this week; check out the rest of our Security Week
<http://www.extremetech.com/tag/security-week> stories for more in-depth
coverage.




------------------------------
[image: Avast logo] <https://www.avast.com/antivirus>

This email has been checked for viruses by Avast antivirus software.
www.avast.com <https://www.avast.com/antivirus>



__._,_.___
------------------------------
Posted by: "Beowulf" <[email protected]>
------------------------------


Visit Your Group
<https://groups.yahoo.com/neo/groups/grendelreport/info;_ylc=X3oDMTJmYTJwZHRvBF9TAzk3MzU5NzE0BGdycElkAzIwMTk0ODA2BGdycHNwSWQDMTcwNTMyMzY2NwRzZWMDdnRsBHNsawN2Z2hwBHN0aW1lAzE0NzA1MDM4MjE->


[image: Yahoo! Groups]
<https://groups.yahoo.com/neo;_ylc=X3oDMTJlbGMzdXNuBF9TAzk3NDc2NTkwBGdycElkAzIwMTk0ODA2BGdycHNwSWQDMTcwNTMyMzY2NwRzZWMDZnRyBHNsawNnZnAEc3RpbWUDMTQ3MDUwMzgyMQ-->
• Privacy <https://info.yahoo.com/privacy/us/yahoo/groups/details.html> •
Unsubscribe <[email protected]?subject=Unsubscribe>
• Terms of Use <https://info.yahoo.com/legal/us/yahoo/utos/terms/>

__,_._,___

-- 
-- 
Thanks for being part of "PoliticalForum" at Google Groups.
For options & help see http://groups.google.com/group/PoliticalForum

* Visit our other community at http://www.PoliticalForum.com/  
* It's active and moderated. Register and vote in our polls. 
* Read the latest breaking news, and more.

--- 
You received this message because you are subscribed to the Google Groups 
"PoliticalForum" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to