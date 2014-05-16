WASHINGTON May 16 After warning for years that
the U.S. electric grid and other critical infrastructure are
dangerously vulnerable to hacking, security experts fear it may
take a major destructive attack to jolt CEOs out of their
complacency.
While awareness about cybersecurity has increased in recent
years, infrastructure consultants say the industry remains
reluctant to spend the money needed to upgrade their aging
equipment - especially in the absence of much pressure from the
U.S. government, regulators or shareholders.
"I'm convinced the C-level executives don't understand the
risks they're accepting,'" Digital Bond CEO Dale Peterson, a
leading expert in industrial control systems, told the Reuters
Cybersecurity Summit in Washington this week.
"These systems are insecure by design," said Peterson. "If
they truly understood the risk they were taking, they would find
it unacceptable."
Peterson and other security experts say the problem lies
with tiny computers known as PLCs, or programmable logic
controllers, used to control processes in energy plants, water
treatment facilities, factories and other industries. The PLCs
are designed to blindly obey all commands, regardless of what
impact they might have, according to the experts.
To wreak havoc, someone would need only to hack into that
system and send malicious instructions to the PLC, such as to
cause an explosion at an energy facility or chemical plant,
flood a water system, or poison food supply.
Top executives at critical infrastructure companies think of
cybersecurity as a standard business risk and are reluctant to
spend millions of dollars to mitigate that risk, said Stuart
McClure, chief executive of cybersecurity firm Cylance.
They "can't seem to get out of their own way of paranoia to
a point of paralysis," McClure told the summit. "What government
does have to do, unfortunately, is to step in and provide a
stick of some sort."
The Obama administration has encouraged industries to test
themselves against a newly drafted set of cyber standards, and
has encouraged more sharing of information about cyber threats
and best practices.
Experts say that is a step in the right direction, but there
is still a long way to go. Some urged the Department of Homeland
Security to mandate stricter regulations, but the agency does
not have that kind of enforcement power.
"I think what they benefit most from is not just hard and
fast regulation: 'You shall do it this way,'" Department of
Homeland Security Jeh Johnson said at the summit. "I don't
believe that the answer is to regulate standards."
CYBER REPORTS NEARLY DOUBLE
DHS's Industrial Control Systems Cyber Emergency Response
Team says it responded to reports of 256 cyber incidents last
year, more than half of them in the energy sector. While that is
nearly double the agency's 2012 case load, there was not a
single incident that caused a major disruption.
The incidents include hacking into systems through Internet
portals exposed over the Web, injecting malicious software
through thumb drives, and exploitation of software
vulnerabilities, DHS said.
"I fear that things won't change until there is a major
attack and people are shocked into taking action," McClure said.
Still, he and several other summit guests said they have
noticed an increase in interest in cybersecurity following the
data breach at Target Corp, which led to the departure
of the U.S. retailer's chief executive, Gregg Steinhafel.
"This is ringing bells at the C-suite," said Charles Croom,
vice president of cybersecurity solutions at Lockheed Martin
Corp. "This is just the beginning of a bow wave."
While some security experts hope the government can take a
stronger role on cybersecurity, some U.S. officials say the
private sector needs to step up.
The new head of the National Security Agency, Admiral Mike
Rogers, said he hopes industry and the government can work
quickly enough to improve communication about emerging cyber
threats and prevent catastrophes.
"I don't want a major disaster being the driver that pushes
us," Rogers told the summit.
