Experts: Cybersecurity is becoming a bigger problem for mission-critical entities (with related video)
There once was a time when only enterprises needed to worry about cybersecurity attacks from hackers, but evidence is mounting that public-safety and critical-infrastructure entities now are in the crosshairs, according to experts who spoke on the topic last week at the Association of Public Safety Communications Officials' conference in Philadelphia.
Jeremy Smith and J. Kevin McGeary are senior consultants with L.R. Kimball's cybersecurity practice. They provided details on the Stuxnet worm that attacks computers utilizing Windows operating systems or Siemens industrial software. SCADA systems particularly are vulnerable, and the worm allows data to be stolen.
McGeary described the worm — which first appeared in 2009 and was used most notably in an attack on Iran's nuclear program that resulted in about 30,000 computers being affected — as "groundbreaking" for a couple of reasons. The first is that it is capable of mutating. The second is even more frightening.
"It's one the first known examples of an actual attack that is suspected to have been done by a nation state," McGeary said. "In other words, cyber-warfare, if you will.
"This was not an attack on some of the normal enterprise computing systems, like e-mail that we all read about almost every day. This was a specific, directed attack on the kind of systems — in this case, running a plant — that are analogous to the mission-critical networks and systems that [public safety] is working with and building every day."
McGeary and Smith cited other examples. For example, in February 2011, a computer virus shut down an Australian ambulance company's CAD system. In May 2009, the city of Dallas suffered a similar attack on its CAD system, one month after the Texas Department of Public Safety contracted a computer virus that shut down its statewide computer system.
Any IP-based network is vulnerable to an attack, but the convergence of subsystems — a trend that is proliferating throughout public safety — will make such networks even more vulnerable, McGeary said.
"As we begin to connect all these pieces, it's not enough to protect any one of them," McGeary said. "You have to protect the network itself."
McGeary stressed that he isn't against convergence, which is a useful approach for any enterprise because it allows information to flow from end to end. But he quickly conjured a familiar adage, that the chain is only as strong as its weakest link. "What you haven't protected becomes the entry point," he said.
Providing such protection is much more challenging today than it was in the past, according to McGeary.
"In the past, legacy systems were hardware-based systems that didn't have a lot of intelligence or information to control," he said. "For example, in a 911 network, there tended to be a hard-wire link between the PSAP and the central office, and there was relatively limited information being exchanged. There wasn't a lot to attack."
In contrast, today's IP-based systems — many of which are interconnected — are "exponentially" increasing the opportunities for hackers, because there are many more breach points, McGeary said.
All of that said, it's not just IP-based systems that are vulnerable. McGeary cited a recent University of Pennsylvania study that identified security weaknesses in Project 25 radio systems.
So, what can a public-safety agency, or other critical-infrastructure entity, such as a power utility or transportation department, do to protect itself? The first step is to understand that security is all about availability — more specifically limiting it, according to Smith.
"It's about making sure that the mission-critical resources that your people need to do their jobs are made available only to the right people," he said. "If I had to sum up security in one word, it would be 'availability.'"
Consequently, encryption, firewalls, virtual private networks and anti-virus software should be the foundation of any agency's defense. But physical security often is forgotten in the zeal to protect the network, which can be a big mistake. For a public-safety agency, that means sites — particularly those located in the middle of nowhere, such as on a mountaintop — must be protected, as they can provide a point of entry into the network.
In addition, agencies must implement security protocols to protect themselves when employees connect their personal devices to the network, which can lead to inadvertent attacks.
"A basic example would be someone who downloaded some music onto a thumbdrive and then plugged it into a computer somewhere on your network, and it turns out that the file is infected," McGeary said.
Also common is a virus attack unleashed unwittingly by a service technician who has plugged his computer — infected without his knowledge — into an agency's network to perform a diagnostic check.
Then there are breaches that make security professionals shake their heads in wonderment.
"One of the things we like to do when we conduct a penetration test on an organization is to drop thumbsticks in the organization's parking lot," Smith said. "Those thumbsticks have a dummy virus on them, and when people pick them up and stick them into their computers, we know we have a training issue to address."
Smith also told of one PSAP where all 15 dispatchers were using the same password, regardless of what shift they were on.
"That obviously creates all sorts of issues," he said. "I was actually stunned by that."
In these trying budgetary times, it might be tempting for an agency to push cybersecurity to the back burner. Smith cautioned against such an impulse.
"I'm a big believer that some security is better than no security," he said.
The very first step should be a gap analysis, Smith added.
"If you don't know where you are, it's going to be difficult for you to get to where you want to go," he said.