by Scott Lindley
Hacking has become a far bigger threat than most think. Indeed, the greatest risk to national security comes from not from aircraft carriers or infantry divisions, but a computer with a simple Internet connection located anywhere in the world. The U.S. federal government suffered a staggering 61,000 known cybersecurity breaches last year alone. Protecting users from professional hackers is imperative for specifiers.
Odds are most of us do not work for organizations as large as the U.S. government or as big a target as a major corporation, but that should not give specifiers rest. Many hackers are simply amateurs trying to get into any system they can—a phenomenon referred to as ‘opportunistic hacking.’ When such hackers get in, they like to change code to create mayhem. Providing anti-hack, card-based access control systems eliminates one of these hackers’ more popular opportunities.
Design/construction professionals’ reputations can be tarnished by providing systems (e.g. contactless card-based access control systems) that get hacked. Further, it is also only a matter of time before the federal government holds the industry liable for not protecting these systems when there are scores of remedies available to hinder the hacking of access control and other wireless, computer-driven systems. Specifying and incorporating such safeguards is becoming a very important aspect of any security solution for design/construction professionals.
To give businesses an incentive to meet cybersecurity threats, the Federal Trade Commission (FTC) has decided it will hold the business community responsible for failing to implement good cybersecurity practices, and is now filing lawsuits against those that do not. For example, in the summer of 2015, an appeals court backed the FTC’s lawsuit against the hotel chain operator Wyndham Worldwide for not protecting consumers’ information. Also, this January, the commission filed a lawsuit against D-Link and its U.S. subsidiary, alleging the company used inadequate safeguards on its wireless routers and IP cameras, leaving them vulnerable to hackers.
The FTC is recognizing a problem some security practitioners do not appreciate. To get into information technology (IT) as well as critical-infrastructure operational technology (OT) systems, hackers look for the easiest path, leveraging many different physical assets—including those within the enterprise security system itself. They typically start with hardware that will give them access to specific computers, which in turn give them access to the target’s external and internal Internet.
It is important to mention both IT and OT systems, because most everyone understands what IT is, but very few are familiar with OT. IT security lives in the context of networks, servers, storage, apps, and data—it involves a system where many hosts are communicating with each other and where frequent patch cycles occur over weeks or sometimes days in response to expected and known cyber threats. Essentially, IT security protects data. An attack on the IT system can create very big problems, from transferring funds to stealing personal information such as social security numbers or protected files. However, the new trend of attacking the OT system can be even worse.
Beyond white-collar offices and data centers—often, miles away—are the industrial control systems (ICS) that run organizations’ operations. In industries as diverse as oil and gas, power generation and distribution, healthcare, transportation systems, and manufacturing, ICSs create automated solutions that increase productivity by connecting sensors, machines, and instruments. They control local operations such as:
- opening and closing valves and breakers;
- collecting data from sensor systems to turn up the heat of furnaces; and
- monitoring the local environment for alarm conditions.
When ICSs are hacked by sophisticated government-backed entities, havoc can run rampant. For instance, a little over a year ago, approximately 1.4 million homes in western Ukraine lost their electricity for several hours due to a very advanced attack. Once the hackers had access, they first manually opened the breakers, then employed the BlackEnergy virus to hinder efforts to locate and restore them. (The BlackEnergy virus is a sophisticated piece of malware with a modular architecture, suitable for sending spam and for online fraud. For more on this attack, click here.)There was also a simultaneous Distributed Denial of Service (DDOS) on the utilities’ call centers to slow down customer reports of outages.
Breaches of the operating system at a dam outside New York City were also attributed to hackers—hackers from companies performing work on the Iranian government’s behalf, according to the Justice Department. The perpetrators successfully obtained unauthorized access to the Supervisory Control and Data Acquisition (SCADA) systems of the dam, but the Federal Bureau of Investigations (FBI) found those behind the cyber intrusion.