Vulnerabilities to Cyber Attack
As information technology has advanced over time and more and more of our daily lives have become reliant upon services provided by an Internet-based and connected array of organizations, the threat of cyber-attack has also increased. One of the aspects that makes the cyber-threat so elusive is the ability of attackers to mount assaults from anywhere in the world. The motives for these attacks are varied, from state-to-state cyber warfare, corporate espionage, and lone wolf “hackers.” The current environment is one where the question is not whether a corporation or other highly visible target will be attacked, but how will the attack be perpetrated and how many attacks will the organization endure. This report examines the types of attacks that are launched, the target of those attacks, and the efforts to resist breaching. The evidence covered has been compiled through reports from both official sources and media outlets who have documented the circumstances of both sides of the cyber-attack equation. Through this research, it will be made clear that the threat is growing and the race between defenders of cyber-attack and those who are behind the assaults is never won. Protection efforts require constant updating of an effort to stay one step ahead of intruders and disruptors.
Vulnerabilities to Cyber Attack; Critical Private Infrastructure
The worldwide problem of cyber-attack is a multifaceted field of methods, means, and motivations. Threats come in a variety of sizes and strengths and intentions are often a mystery as the attack commences. The cyber-warfare battlefield is so complex and ever-changing to the point that even the most up-to-date examination runs the risk of being obsolete by the time it is published. The reason the problem is exceedingly difficult is the wide range of tactics employed by cyber-attackers and a growing array of tools at their disposal. Once protection systems are put into place, a different vulnerability is discovered and exploited. While there is an undefined number of targets for attack among the most dangerous arena is critical private infrastructure.
Critical private infrastructure is a category that encompasses a wide range of entities. Everything from financial institutions, health care facilities, energy providers, and telecommunications corporations are targets that fall under this specific category. The amount of damage that can be inflicted upon any one of these industries or any one of the companies that occupy these industries can cause a level of disruption that can destabilize our society.
In order to explore the circumstances fully, the examination of the types of attacks, the types of actors, and targets is required. Once the threat is adequately framed, the potential means of fortifying targets against attack is possible. One thing is abundantly clear through the research; no solution is fool-proof and covering one vulnerability invariably opens another.
Sources of Attack
The means by which cyber-attackers gain entry into a given system can be categorized as one of several types of attacks. The overall goal of cyber-attacks, in general, is to steal information, alter records or diagnostic readings, or destroy property and systems. There are five types of cyber-attackers that are potential threats to private infrastructure (Denning & Denning, 2010).
- Criminals: Cybercriminals are those attackers that attempt to breach the systems of private organizations to steal assets or to obtain access to be used in a money-making scheme. These actors target all sorts of organizations but most commonly seek financial institutions or any other place where the financial information of employees or customers would be available through a cyber-attack (Denning & Denning, 2010).
- Industrial competitors: This category of the attacker is most commonly interested in breaching the systems of other organizations to obtain information that can be used to get a competitive advantage in business. Corporate espionage is geared toward gaining access to sensitive information or disrupting the operations of the target company for the purpose of seizing business opportunities in the market (Denning & Denning, 2010).
- Civilian hackers; This group of cyber-attackers can be motivated by an opportunity of larceny but are most often interested in breaching systems for the sake of doing so. Legend of successful hackers being hired to work in information technology security often motivates this group. When there is no established goal to be understood, the reason for attacks from this group of people is merely a high-stakes hobby (Denning & Denning, 2010).
- Activists: Commonly referred to as “hacktivists,” these attackers are motivated by a social or political cause they are hoping to advance through cyber-attack. An environmental activist might use this strategy for disrupting an oil company or other organization seen by the hacktivist as damaging to their environmental cause (Denning & Denning, 2010).
- Foreign Intelligence Services: State-sponsored cyber-attacks – commonly launched with the aid of a foreign intelligence service – is a type of cyber-attack that can have elements of motivation to fit several of the above categories. Foreign hackers can be motivated by mere disruption, the potential acquisition of information, or to steal assets (Denning & Denning, 2010).
The means by which each of these types of cyber-attackers gains entry into a private infrastructure entity is as varied as the reasons for the attack. One of the primary means for getting inside of a private company’s system is through a tactic called “phishing.” Phishing is a process of getting a member of the company with access to the system to disclose information the hackers can use for their own port of entry. An employee will commonly receive a message through e-mail or another messaging service that imitates an official inquiry. The message will prompt the user to enter information for verification or some other innocent-seeming purpose. Once the information is entered, the hacker retrieves it and can gain access through normal means of logging into the system (Ten, Manimaran & Liu, 2010).
While phishing can be used to gain entry for a variety of purposes, the tactics most often used in cases where disruption is the goal commonly include injecting viruses of various natures. A virus is at its core a program or partial code that enables a hacker to gain access to the target’s system. Viruses come in different forms, such as “Trojan horses” and spyware/malware. These types of attacks can trigger systems both virtual and physical to operate in a way that benefits the attacker or the attacker’s aims. One of the most notorious types of malware was the Stuxnet “worm” used to infiltrate the systems of operation for the Iranian nuclear program (Lewis, 2014).
Stuxnet was a sophisticated malicious computer worm that targeted the type of software believed to be at the heart of the Iranian nuclear program’s system. The most effective aspect of Stuxnet was its ability to travel through all types of systems, undetected, and only exacting its mission once it found its target; the system within Iran’s nuclear operation that regulated the speed with which the centrifuges. The result was a misrepresentation of the centrifuge speed, thus triggering the Iranian system to increase power. The damage was catastrophic to the Iranian effort and has been credited with setting the program back several years. Stuxnet was designed to delete itself hence many of the details of the malware were erased before it could be adequately examined after the fact (Lewis, 2014).
The list of vulnerable targets is long and no one industry is safe from attack. In the realm of critical private infrastructure, there are a few categories that are at most risk of attack simply because of their importance. Still, because one target is more coveted by attackers does not mean that other targets are less-able to be targeted or better able to resist attack. The one category that covers every type of target is the control system infrastructure. Control systems include all of the mechanisms a company uses to monitor and control the operation of the organization’s functions. These are switches, monitoring devices, manual controls, and remote control devices. One of the reasons these systems are vulnerable to attack is that when they are not connected directly to the Internet, they are often thought of as being out of reach for hackers. The reality is that many of the control aspects of an organization that are connected to the web are responsible for triggering or putting into motion control devices that are not connected directly (Denning & Denning, 2010).
Financial services companies and companies that house a significant amount of financial information are also vulnerable parts of the critical private infrastructure. The most obvious vulnerability of these types of organizations is the potential to steal money. While stealing money and other valuable assets is the most common reason for attacking a financial institution’s system, disrupting the flow of business has a destabilizing effect on society and can give another financial institution or government an advantage (Lewis, 2014).
One way that financial systems can be targeted and have damage inflicted without assets being stolen is by halting operational response to customers. A large bank’s website or automated teller machines (ATMs) being shut-down can cause panic among customers and bank employees. These events sow seeds of doubt within the public and can affect the ways that citizens go about their daily lives. Such a disruption might not appear to be highly significant on its face, but a hacker or corporate competitor being able to inflict such a disruption can take advantage of the breach even if it is discovered and patched in a short amount of time (Geers, 2010).
Telecommunications operations and their infrastructures are important to society and cyber-attack can cause significant disruption to public safety. The manner by which hackers commonly gain entry into telecom companies is either through the normal means (via the Internet/email) or through VoIP (voice and Internet) connections. These attacks can cause disruptions to service alone or cause damage to physical assets such as satellites and communication devices themselves (Lewis, 2014).
Transportation infrastructure is vulnerable to cyber-attacks that can range from nuisance to physical danger. Any disruption in the function of computerized systems within an airport or airline causes alarm within the organization. Flights are commonly grounded during a suspected cyber-attack and flight control operations are halted. This can lead to severe congestion for travelers, disrupt air schedules worldwide, or lead to a compromising of air traffic control that puts passengers, crew, and others in grave danger (Ten, Manimaran & Liu, 2010).
Other forms of transportation can be disrupted by cyber-attack as well. Train service faces some of the same potential consequences as air travel. Shipping organizations that are attacked can result in a disruption in services that can cause ripples around the globe. If shipping manifests are altered or deleted during an attack, the cost in time and resources to correct the matter can be expensive and disrupt adjacent industries (Ten, Manimaran & Liu, 2010).
Energy sector organizations are potentially the most disruptive organizations to be targeted by cyber-attack and many of the worst-case scenarios that make up a terror plot response plan feature the potential attack of the energy grid or energy delivery services of the country. If electricity were targeted by a cyber-attack, all of the functions of society could be hampered until service could be restored. Back-up generators and other contingency plans are sparsely effective throughout society and areas outside of medical facilities and other emergency services entities are less likely to be backed-up by generator support (Ten, Manimaran & Liu, 2010).
Protections against cyber-attacks are the responsibility of both private and public agencies. While private companies are primarily responsible for assessing and planning for the potential risk of attack, certain vital private infrastructure is so critical to society that protection often falls under the purview of the Department of Homeland Security. DHS issues guidance to private companies periodically to inform about potential attacks, to update best practices for dealing with an attack or reinforcing systems against cyber-intrusions, and plans for addressing the fallout of system breaches. The broad outreach plans and international cooperation to ward off cyber-attack are coordinated through the DHS and U.S. State Department (Geers, 2010).
The Industrial Control Systems Cyber Emergency Response Team is an entity within the Department of Homeland Security that is responsible for reducing the risk of attack across all critical infrastructure sectors. The ICS-CERT is tasked with issuing alerts to organizations as well as providing advisory information to assist in the strengthening of systems against cyber-attack. The team works with private companies and public 76departments including law enforcement to provide a coordinated defense against cyber-attack and remedying the consequences in the event of a successful attack (Lewis, 2014).
Cyber-attack are a problem that will continue to plague society as attackers and defenders against attacks take turns gaining the upper hand. Given the wide array of attackers, motivations, and means of attack, the Department of Homeland Security and the security wings of individual companies are in constant pursuit of better ways to monitor activity and to respond to breach attempts as quickly and effectively as possible.
The most important way to reduce the effectiveness of cyber-attack is through education. Company employees who are educated about the various ways attackers seek to gain entry into their company’s systems are better prepared to spot phishing attempts and more conscientious about practicing security as a daily activity.
The prospect of a wide-scale and successful cyber-attack on a critical private infrastructure could mean devastating consequences in the near and more distant future. Because the matter is so dire and the challenge to avoid an attack is so daunting, constant dedication to defending systems is a necessary goal of the DHS and all other security entities across the country.
Denning, P. J., & Denning, D. E. (2010). Discussing cyber-attack. Communications of the ACM, 53(9), 29-31.
Geers, K. (2010). The challenge of cyber-attack deterrence. Computer Law & Security Review, 26(3), 298-303.
Lewis, T. G. (2014). Critical infrastructure protection in homeland security: defending a networked nation. John Wiley & Sons.
Ten, C. W., Manimaran, G., & Liu, C. C. (2010). Cybersecurity for critical infrastructures: Attack and defense modeling. IEEE Transactions on Systems, Man, and Cybernetics-Part A: Systems and Humans, 40(4), 853-865.