U.S. industry too complacent about cyber risks, say experts

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://in.reuters.com/article/2014/05/17/us-cyber-summit-infrastructure-idINKBN0DX02J20140517

After warning for years that the U.S. electric grid and other critical
infrastructure are dangerously vulnerable to hacking, security experts fear
it may take a major destructive attack to jolt CEOs out of their
complacency.

While awareness about cybersecurity has increased in recent years,
infrastructure consultants say the industry remains reluctant to spend the
money needed to upgrade their aging equipment - especially in the absence
of much pressure from the U.S. government, regulators or shareholders.

"I'm convinced the C-level executives don't understand the risks they're
accepting,'" Digital Bond CEO Dale Peterson, a leading expert in industrial
control systems, told the Reuters Cybersecurity Summit in Washington this
week.

"These systems are insecure by design," said Peterson. "If they truly
understood the risk they were taking, they would find it unacceptable."

Peterson and other security experts say the problem lies with tiny
computers known as PLCs, or programmable logic controllers, used to control
processes in energy plants, water treatment facilities, factories and other
industries. The PLCs are designed to blindly obey all commands, regardless
of what impact they might have, according to the experts.

To wreak havoc, someone would need only to hack into that system and send
malicious instructions to the PLC, such as to cause an explosion at an
energy facility or chemical plant, flood a water system, or poison food
supply.

Top executives at critical infrastructure companies think of cybersecurity
as a standard business risk and are reluctant to spend millions of dollars
to mitigate that risk, said Stuart McClure, chief executive of
cybersecurity firm Cylance.

They "can't seem to get out of their own way of paranoia to a point of
paralysis," McClure told the summit. "What government does have to do,
unfortunately, is to step in and provide a stick of some sort."

The Obama administration has encouraged industries to test themselves
against a newly drafted set of cyber standards, and has encouraged more
sharing of information about cyber threats and best practices.

Experts say that is a step in the right direction, but there is still a
long way to go. Some urged the Department of Homeland Security to mandate
stricter regulations, but the agency does not have that kind of enforcement
power.

"I think what they benefit most from is not just hard and fast regulation:
'You shall do it this way,'" Department of Homeland Security Jeh Johnson
said at the summit. "I don't believe that the answer is to regulate
standards."

CYBER REPORTS NEARLY DOUBLE

DHS's Industrial Control Systems Cyber Emergency Response Team says it
responded to reports of 256 cyber incidents last year, more than half of
them in the energy sector. While that is nearly double the agency's 2012
case load, there was not a single incident that caused a major disruption.

The incidents include hacking into systems through Internet portals exposed
over the Web, injecting malicious software through thumb drives, and
exploitation of software vulnerabilities, DHS said.

"I fear that things won't change until there is a major attack and people
are shocked into taking action," McClure said.

Still, he and several other summit guests said they have noticed an
increase in interest in cybersecurity following the data breach at Target
Corp, which led to the departure of the U.S. retailer's chief executive,
Gregg Steinhafel.

"This is ringing bells at the C-suite," said Charles Croom, vice president
of cybersecurity solutions at Lockheed Martin Corp. "This is just the
beginning of a bow wave."

While some security experts hope the government can take a stronger role on
cybersecurity, some U.S. officials say the private sector needs to step up.

The new head of the National Security Agency, Admiral Mike Rogers, said he
hopes industry and the government can work quickly enough to improve
communication about emerging cyber threats and prevent catastrophes.

"I don't want a major disaster being the driver that pushes us," Rogers
told the summit.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!