WEST POINT, N.Y. (Army News Service, April 22, 2016) – “There’s no doubt that Chinese military planners understand the importance of industrial control systems and the critical infrastructure they control,” said Rick Ledgett, deputy director, National Security Agency.
A serious vulnerability to industry is their “strong dependence” on what are termed industrial control systems, or ICS, said Ledgett, who delivered the keynote address during a dinner at the Joint Service Academy Cyber Security Summit at the U.S. Military Academy, April 20.
Historically, ICS has been strong because of its obscurity, he explained, calling it “weird software with proprietary systems.”
But over time, the obscurity of ICS has become less obscure, and providers, working on thin profit margins, haven’t adequately addressed the security threat, he said. “Adversaries are seeing what they can get by compromising those industrial control systems.”
Another instance was in 2007, when Idaho National Laboratory ran the Aurora Generator experiment that demonstrated that the electric grid could be compromised. There are other notable examples, he said.
“You don’t need to cause physical harm to affect critical infrastructure assets,” Ledgett pointed out. For instance, the Ukrainian grid blackout that happened about four months ago took down the entire power grid. Remote attackers used stolen credentials to do that.
“These are all fairly significant events,” he said. “We’re seeing more and more of that by adversaries.”
INTERNET OF THINGS
More and more devices are being connected to the Internet, Ledgett said. Some 6.4 billion things worldwide will be connected by the Internet this year and by 2020, that number will be about 20.8 billion.
The challenge is identifying emerging risks and vulnerabilities that come about with the introduction of new hardware and software, he said.
“Any system is only as strong as its weakest link,” he said. Most types of devices connected to the Internet are built with differing security profiles and updated on differing timescales. Every time it’s updated, that’s another opportunity for a security vulnerability.
Cybercrime is one example. There are 1 million pieces of malware that come out every day and 1.5 million criminal cyber events every year, he mentioned.
“Today, anyone with a computer and a fairly decent level of knowledge and an Internet connection can pose a very serious threat to an individual, a business, a city and a foreign nation,” Ledgett concluded.