Infrastructure Software Vulnerabilities Raise Concern Among Cybersecurity Experts
(TNS) Vulnerabilities in software that automates everything from factories to traffic lights has become the nation’s top cybersecurity threat, an agent on the FBI’s Denver Cyber Task Force said Thursday in Colorado Springs.
Supervisory control and data acquisition software is used to control sometimes remotely many types of devices in the energy, transportation, manufacturing and other industries and often is connected to sensors, valves, pumps, motors and other types of equipment to ensure safe operation, detect problems and maintain quality. The systems can be vulnerable to cyberattacks because they sometimes aren’t protected by sophisticated security systems since they aren’t accessible to or used by members of the public and usually are located in areas away from the public. Dan Leyman, special agent in the Denver Cyber Task Force, said the industrial control software is the biggest threat for the FBI because it is used to control much of the nation’s critical infrastructure, ranging from dams and power grids to traffic control systems and waste water treatment plants. He made the comments during a panel discussion during a breakfast briefing at the Cheyenne Mountain Resort on cybersecurity by FedInsider.com, a Washington, D.C.-based website specializing in information and education about government management. Most of the world’s high-profile cybersecurity incidents involve theft of consumers’ personal information from retailers, insurers and other businesses or so-called “ransomware” like the “WannaCry” attack that compromised more than 200,000 computers in 150 nations last month, Leyman said. But many cyberattack victims are reluctant to contact the FBI due to fears of bad publicity damaging the reputation of a business or government agency if reports of the attack become public, but the FBI is barred to publicly disclosing the victim or details of the attack, he said.
“Our goal is the identify and prosecute the bad guy. We need to find out who did what to whom. The biggest issue in getting victims to report incidents is fear of public disclosure. We aren’t allowed to do that. We can’t identify and prosecute the perpetrator unless we know about the incident,” Leyman said.
Many government agencies and small businesses don’t know who to call when they have become a victim of a cyberattack, said Ed Rios, CEO of the National Cybersecurity Center in Colorado Springs. He related how a local school district suffered a “denial of service” attack in which hackers overwhelm a business or government agency’s computer system with internet traffic. The district called the El Paso County Sheriff’s Office, the FBI and the Colorado National Guard but couldn’t get any help until the guard referred the district to the cybersecurity center, he said. Rios didn’t identify the district, but Colorado Springs School District 11 suffered a denial of service attack in 2015 during the first year of computerized student testing, delaying some testing for a day. School districts in Florida and New Jersey had reported similar experiences at that time. Trace Ridpath, director of information technology governance and security for the Colorado Governor’s Office of Information Technology, said many cybersecurity vulnerabilities are linked to “bad coding” in software that allows easy access to a device and isn’t discovered before a cyberattack. He is especially concerned with the growing number of internet-connected devices, which often are collectively referred to as the “internet of things” and can include everything from fitness and home security monitors to home appliances and thermostats.