Cyber Threats To US Business Grow More Dangerous: Fed's Security Chief
WASHINGTON - Attacks on U.S. computer networks could escalate from mere inconveniences to disasters that ruin companies or even kill people, according to the head of a cyber-security unit working with the U.S. government.
Scott Borg, director of the Cyber Consequences Unit, or CCU, a Department of Homeland Security advisory group, said increasing intelligence "chatter" was pointing to possible criminal or terrorist schemes to destroy physical infrastructure such as power grids.
The CCU is considering how to prevent attacks beyond ubiquitous e-mail hoaxes or computer viruses, with concerns rising about plots to cause power blackouts, tamper with pharmaceutical products or reprogram machinery to build dangerously defective products.
"Up to now, executives and network professionals have been worrying about what adolescents and petty criminals have been doing. They need to start worrying about what grown-ups could do," Borg said in a recent interview.
Attractive targets include vital "supervisory control and data acquisition" (SCADA) systems, like those in a power plant that open and close valves or adjust temperature and pressure.
"Chatter on SCADA attacks is increasing," Borg said, referring to patterns of behavior his unit has observed suggesting that criminal gangs and militant groups like al Qaeda are becoming capable of carrying out such attacks.
Borg's CCU, a small independent unit funded by Homeland Security, spends its time trying to imagine how technology could be used to cripple the United States. It also holds cyber-security exercises for U.S. corporations and investigates reports of attacks on computer systems.
CRISIS AFTER 3 DAYS
A major crisis could be triggered, for instance, by shutting down critical computer systems for as little as four days.
"Our entire economy is set up to manage through long weekends," Borg said. "If you shut down longer than three days, supplies begin to run out. After three days, costs begin to take off."
While everyday hackers may target credit card or other personal information as it crosses the Internet, more sophisticated attackers concentrate on "data at rest," which could cause far greater damage.
This kind of data might include a pharmaceutical company's drug development databases, or software programs that manipulate data, such as formulas for generating financial statements.
In one hair-raising scenario, Borg describes how attackers might change specifications at an automobile plant and cause a car to "burst into flames after it had been driven for certain weeks or months."
Another potential attack could involve infiltrating hospitals or pharmacies to change medical data such as dosages or treatment schedules.
"An attack, if well planned, could run for months without being detected," Borg said. "Now, imagine if they go public on a Web site and announce what they have done. Stocks would go into a free fall. Liability lawsuits would pile up."
Based on discussions with banks, manufacturers and other industries, the CCU has prepared a security checklist for companies identifying 16 potential avenues of attack.
Surprisingly, one of the biggest security holes comes from adding extra connections for the convenience of senior managers without following required procedures, he said.
While keeping track of how employees access and use systems is one of Borg's main concerns, he also believes those very same employees are best positioned to help prevent serious security breaches.
"The best way for companies to discover security holes is to ask trusted employees to attack their own company," Borg said.
Other suggestions to enhance security include tougher access controls to equipment, better password management, more rigorous background checks and aggressive monitoring of employee and supplier behavior for unusual activity.
Scott Borg, director of the Cyber Consequences Unit, or CCU, a Department of Homeland Security advisory group, said increasing intelligence "chatter" was pointing to possible criminal or terrorist schemes to destroy physical infrastructure such as power grids.
The CCU is considering how to prevent attacks beyond ubiquitous e-mail hoaxes or computer viruses, with concerns rising about plots to cause power blackouts, tamper with pharmaceutical products or reprogram machinery to build dangerously defective products.
"Up to now, executives and network professionals have been worrying about what adolescents and petty criminals have been doing. They need to start worrying about what grown-ups could do," Borg said in a recent interview.
Attractive targets include vital "supervisory control and data acquisition" (SCADA) systems, like those in a power plant that open and close valves or adjust temperature and pressure.
"Chatter on SCADA attacks is increasing," Borg said, referring to patterns of behavior his unit has observed suggesting that criminal gangs and militant groups like al Qaeda are becoming capable of carrying out such attacks.
Borg's CCU, a small independent unit funded by Homeland Security, spends its time trying to imagine how technology could be used to cripple the United States. It also holds cyber-security exercises for U.S. corporations and investigates reports of attacks on computer systems.
CRISIS AFTER 3 DAYS
A major crisis could be triggered, for instance, by shutting down critical computer systems for as little as four days.
"Our entire economy is set up to manage through long weekends," Borg said. "If you shut down longer than three days, supplies begin to run out. After three days, costs begin to take off."
While everyday hackers may target credit card or other personal information as it crosses the Internet, more sophisticated attackers concentrate on "data at rest," which could cause far greater damage.
This kind of data might include a pharmaceutical company's drug development databases, or software programs that manipulate data, such as formulas for generating financial statements.
In one hair-raising scenario, Borg describes how attackers might change specifications at an automobile plant and cause a car to "burst into flames after it had been driven for certain weeks or months."
Another potential attack could involve infiltrating hospitals or pharmacies to change medical data such as dosages or treatment schedules.
"An attack, if well planned, could run for months without being detected," Borg said. "Now, imagine if they go public on a Web site and announce what they have done. Stocks would go into a free fall. Liability lawsuits would pile up."
Based on discussions with banks, manufacturers and other industries, the CCU has prepared a security checklist for companies identifying 16 potential avenues of attack.
Surprisingly, one of the biggest security holes comes from adding extra connections for the convenience of senior managers without following required procedures, he said.
While keeping track of how employees access and use systems is one of Borg's main concerns, he also believes those very same employees are best positioned to help prevent serious security breaches.
"The best way for companies to discover security holes is to ask trusted employees to attack their own company," Borg said.
Other suggestions to enhance security include tougher access controls to equipment, better password management, more rigorous background checks and aggressive monitoring of employee and supplier behavior for unusual activity.
<< Home