Ethical hackers talk cybersecurity
Khai Trung Le talks to ethical hackers to discuss the increasing information security risks resulting from fourth industrial revolution cyber-physical systems.
In July 2017, more than 12 power plants in the USA, including the Wolf Creek nuclear station in Kansas, were breached in hacking attacks that sought to map computer networks for future incursions. While a statement from the US Department of Homeland Security (DHS) stated that there was ‘no indication of a threat to public safety’, a DHS report suggested that the attacks were conducted by a foreign power and carried the second highest threat rating.
There is a temptation to picture the intricate complexities of nation states infiltrating infrastructure across the world. But Materials World would be so bold as to suggest this wasn’t it. The hackers reportedly breached the Wolf Creek station by sending malicious code in targeted emails mimicking job applications to senior engineers at operating firms managing nuclear plants.
This example is perhaps extreme. However, it is indicative of the potential damage from hackers and digital attacks, and the simplicity of their methods. Marina Kidron, Group Leader at the Skybox Security Research Laboratory, believes that the reliance on networked control systems has led to a 120% increase in vulnerabilities in energy and manufacturing industries, with threats including malware, nation state attacks, and lone wolf criminals.
According to the Skybox report, Vulnerability and Threat Trends Report 2018, server-side vulnerabilities are becoming more common. While in 2016, client- and server-side vulnerabilities exploited were split 41–59%, vulnerabilities in server-side applications increased to 76% of total exploits. Possible reasons include greater abuse of backdoors in software that companies often use to fix bugs and patch systems that inadvertently act as access points for digital attacks.
Materials World spoke with two ethical hackers – professionals with the knowledge and tools of a malicious hacker, but who operate in a lawful and legitimate manner to assess security systems – on the condition of strict anonymity, wryly choosing the pseudonyms Hal and Kit, about their thoughts on the fragility of cyber-physical systems.
Hal and Kit believe that further commitment without a thorough, widespread overhaul of security procedures and protocol may be more harmful in the long run. Arguing that digital attacks are inevitable, Hal believes risk mitigation will be more beneficial than prevention. ‘If your business is a tempting target, your systems are going to be infiltrated. Corporations are inflexible, move slowly, and spend lots of money on security measures that quickly will be outdated. Whereas the attacker has fluidity, can respond faster, and attack methods and tools are getting cheaper and easier to acquire.’
Hal states education is the quickest and most effective means of mitigation. ‘The weakest link is the person [behind the device]. Browsing the internet without understanding what they expose themselves to, using predictable usernames and passwords – and most companies have backwards attitudes to password protection, thinking complicated procedures help – and opening suspicious emails and attachments. I’m not sure if there’s anything that will stop the user being the easiest access point, but better knowledge can only help.’
Kit claimed even the mere use of the term cybersecurity revealed an archaic understanding. ‘The word “cyber” is a relic. It’s better used to describe goths really into synth trance than [an increasingly essential] approach to information control. Something more akin to information security, or quite frankly even just security, should be used.’
The hackers said the relative obscurity of materials science industries may offer them more time to refine their security, with Hal and Kit targeting entertainment and technology organisations that ‘are smart enough to appreciate my efforts in exposing fox holes [in their infrastructure],’ said Hal. ‘But that doesn’t mean they aren’t on someone’s radar.’ However, the EEF report, Cyber Security for Manufacturing, published in late April 2018, disputed his claim, revealing the manufacturing sector as the third most targeted for attacks, with almost 50% of UK manufacturers having been subjected to cyber-attacks.
Old fashioned networking
In January 2018, a study by international relations think tank, Chatham House, speculated that nuclear weapons systems are increasingly vulnerable to digital attacks, incidentally citing reasons familiar to Hal and Kit – a failure to keep up with fast-changing technological advances, lack of skilled staff, and slowness of institutional change.
The study stated, ‘Nuclear weapons systems were developed before the advancement of computer technology and little consideration was given to potential cyber vulnerabilities. As a result, current nuclear strategy often overlooks the widespread use of digital technology in nuclear systems’.
Fortunately, there is evidence that organisations are beginning to respect the need for information security, and are taking fresh steps in the face of new danger. The Open Web Application Security Project, a repository of web application security information, has laid out security suggestions in its Internet of Things Attacks Surface Areas project, and is looking to create guidelines for businesses to follow. Similarly, Innovate UK and the Knowledge Transfer Network have run events to discuss the implications of the fourth industrial revolution, include Industry 4.0 Hack & Pitch 2018, inviting participants to identify alternative solutions to risks to the UK manufacturing industry.
Hal and Kit were amused, but positive about the impact of these events. Kit said, ‘We met,’ referring to Materials World’s meeting, ‘through a friend. I don’t believe you would’ve spoken to people like us for the magazine. But you asked him for people who could help, he got in touch with us, and now we’re talking. Sometimes the old fashioned way of doing things is still the best.’