Eugene Kaspersky, Chairman and CEO, Kaspersky Lab
With the rise of IT controlled critical infrastructure systems comes the very real possibility of mass cyber attacks on critical infrastructure, which could plunge entire towns, cities and countries into a state of complete chaos.
“Let’s look at a Die Hard 4-esque scenario; theoretically a situation is possible where, let’s say, a system for distributing purified drinking water is attacked, as a result of which somewhere at a distant installation the other side of the country a breakdown occurs.
“But the control centre doesn’t know anything about it; the attackers have sent to its computers false data, after exploiting vulnerability. Actually, this isn’t just a scenario; something very similar to it has already occurred in real life, several years ago,” explains Eugene Kaspersky, chairman and CEO of Kaspersky Lab.
An example, cited by Kaspersky, of cyber sabotage at its potentially most dangerous was in a direct attack on supervisory control and data acquisition (SCADA) industrial control systems in 2000 in Australia.
An employee of a third-party contractor who was working on the control systems of Maroochy Shire Council carried out 46 attacks on its control system, which caused the pumps to stop working or not work properly, according to Kaspersky.
The communication channels inside the SCADA system had been breached and information travelling along them was distorted. Several months later companies and the authorities managed to work out what had happened; the worker really wanted to get a job at the sewage firm, was rejected, and decided to flood a huge area of Queensland with sewage.
“With particular regard to the Middle East, the recent, extremely sophisticated targeted attacks detected by Kaspersky Lab [Stuxnet, Duqu, Flame, Gauss] mostly occurred in this region, some of them being aimed at industrial control systems, thus representing acts of if not just espionage, then war too, cyber espionage and cyber war,” says Kaspersky.
Though industrial IT systems and typical office computer networks might seem similar in many ways, they are actually quite different, especially in terms of the priorities they set between security and usability. For companies, data confidentiality is of paramount importance, and system administrators are encouraged to isolate infected systems from non-infected systems to that end, among other things.
“With industrial systems, isolating infected systems is out of the question since for them of paramount importance is uninterrupted operation, constant temperature, constant humidity, etc, no matter what.
And this is true of any industrial system in the world. Security lags way behind in terms of priorities. What compounds this security downgrade is the fact that software at industrial or infrastructural installations is only updated after a thorough check for fault-tolerance so as to be 100% certain not to interrupt the working processes,” explains Kaspersky.
Manufacturers of specialised software are not all that interested in constant source code analysis and patching holes, according to Kaspersky Lab, as experience has shown, corners (costs) are normally cut on this kind of activity, and patches are released only if a particular exploit has been found and published on the internet.
This is also true for consumer software, not just specialised software; but when it’s true for critical systems/infrastructure. The risks thereof are just so much higher.
Kaspersky says that it is almost impossible to protect ourselves from state sponsored cyber attacks and attacks on industrial systems today.
“To do so it’d be necessary to redesign just about all the software code in existence and switch to secure operating systems. It’s clear this is virtually impossible; even if it were possible, can you imagine the size of the budgets involved?
“No state would ever permit itself to make such colossal investments in IT Security,” states Kaspersky.
“This problem needs solving in the same way as the problems of chemical, biological, and nuclear weapons were in the past. What is needed is an international agreement on cooperation, non-proliferation, and non-usage of cyber weapons, and such a project needs to be organised and coordinated by an independent international organisation, like a Cyber-IAEA, ideally under the aegis of something like the United Nations.
Protecting the enterprise
One hundred percent protection from all types of malware, cyber criminals and spam is just not possible in the real world, according to Kaspersky.
“Getting as close to 100% as possible is what we’re aiming for, and companies should do the same. A common mistake is to miss some elements of infrastructure and they stay unprotected. These are the weak links in the chain and are more likely to get attacked by the bad guys. “Last but not least there’s the human factor [on the victim’s side], which often plays a major role in whether an attack is successful or not,” he explains.
IT security, both personal and enterprise, can be compared to banking security: any bank can be the victim of a successful heist, it just depends on how much effort and risk is needed on the part of the armed robbers.
“When you use a maximum number of security measures and pull out all the stops on security, utilising hardware and software protection options, you make intrusion so complicated, expensive, and time consuming, that criminals simply weigh all the cons as far outweighing the pros, and abandon all their nefarious plans, states Kaspersky.