Dependence on industrial control systems (ICS) is an increasing cyber vulnerability for industry, a top National Security Agency (NSA) official said in a keynote address last week.
Although ICS has historically been strong because of its obscurity like a kind of “weird software with proprietary systems,” it has become less obscure over time and providers have not adequately addressed the cybersecurity threat, Richard Ledgett Jr., deputy director of the NSA, said in a keynote address at the Joint Service Academy Cyber Security Summit at the U.S. Military Academy on April 20.
“There’s no doubt that Chinese military planners understand the importance of industrial control systems and the critical infrastructure they control,” Ledgett said.
“Adversaries are seeing what they can get by compromising those industrial control systems,” he added.
Ledgett highlighted that an attacker does not need to cause physical damage to affect critical infrastructure. He cited as an example how hackers used stolen credentials to cause the December 2015 Ukrainian blackout (Defense Daily, Feb. 16).
“These are all fairly significant events. We’re seeing more and more of that by adversaries,” Ledgett said.
He also cited that in 2007 the Idaho National Laboratory ran an experiment, Aurora Generator, that demonstrated the electric grid of the U.S. could be compromised.
The NSA’s deputy director also explained the increasing challenge of identifying emerging risks and vulnerabilities that come from the new hardware and software used in Internet of Things (IoT).
IoT refers to the increasing network of devices connecting to the internet beyond traditional computers. This includes cars, house thermostats, refrigerators, televisions, home security systems, and more.
Ledgett said 6.4 billion items will be connected to the internet in 2016 worldwide and that by 2020 that could expand to 20.8 billion things.
While most devices connected to the internet are built with different security profiles and updated on separate timescales, every time an item is updated there is a new opportunity for a security vulnerability, Ledgett said.
“Any system is only as strong as its weakest link.”
“Today, anyone with a computer and a fairly decent level of knowledge and an Internet connection can pose a very serious threat to an individual, a business, a city and a foreign nation,” he said.
Ledgett noted a million pieces of hardware come out every day, with 1.5 million criminal cyber events taking place every year.