Organisations must prepare for a “cyber Pearl Harbor”, warns software company
June 2017 by Gordon McKeown, a risk management expert at Ideagen
A LEADING software company has warned that organisations must be better prepared for a “cyber Pearl Harbor” following several recent high-profile attacks. Ideagen, the Nottingham-based software company specialising in corporate governance and risk management, said that businesses worldwide – including the UK government – had to take seriously the threat posed by malware to avoid the potential for a catastrophic attack.
On Tuesday, the importance of cyber security was once again brought home when organisations across the world including the Ukrainian central bank, Russian oil giant Rosneft, British advertising firm WPP and US law firm DLA Piper were affected in the latest cyber breach. At least one hospital in the US city of Pittsburgh was also caught up in the incident.
In May, the UK’s NHS was severely affected in an attack which compromised the infrastructure of the health service via a Ransomware assault known as Wannacry. In that instance, computers across the NHS network was blocked with a ransom of £300 required to retrieve critical health data.
Now, as IT and internet infrastructure continues evolve across the globe, a spokesperson from Ideagen has said organisations must be better prepared for a “much more serious” attack.
Gordon McKeown, a risk management expert at Ideagen, which provides risk management software to some of the largest organisations in the world, said: “In recent years there has been a barrage of high profile data security failures around the world with some drastic consequences for businesses and governing bodies. “Although data breaches and ransom demands are serious, something much worse is possible. It isn’t about hacking – hacking is small beer compared to the potential threat from malware. When the world is becoming more and more connected, the likelihood of an incident occurring on a much larger scale significantly increases. “When everything is connected to everything, do you need to physically hijack an aircraft to damage it? Do you need to plant a bomb on a gas pipeline to cause an explosion? Would you need to physically break into an electricity substation to disrupt the power supply and cause a blackout? No, you could do these things using malware.
“As the former CIA Director, Leon Panetta, is quoted as saying to US Congress in 2011, ‘The potential for the next Pearl Harbor could very well be a cyber-attack’.
“This is something we all have to be ready for.”
Mr McKeown, who has twenty-five years’ experience in the software industry, cited the trend increase concerning high profile cyber-attacks and data security failures in recent years. These include:
• 2012 Shamoon malware demolishes vast IT estates in Saudi Arabia
• 2013: Dark Seoul brings down ATM’s and television networks in South Korea
• 2014: Black Energy switches off the power in Ukraine
• 2015: US Democratic National Committee is famously hacked
• 2016: Mirai bots overwhelms high profile websites including Twitter
• 2017: UK NHS Wannacry Ransomware assault
Mr McKeown added: “There’s the trend, but if we’re looking for the next Pearl Harbor we need to find a ‘proof of concept’ that moves from the digital domain into real world destruction. We’re looking for a cyber weapon.” The Stuxnet worm is an example of that weapon, which spread widely via USB sticks in the Middle East in 2009. Stuxnet was malicious code that entered the industrial control system (ICS) to carefully change settings and damage connected machinery – specific machinery such as centrifuges used to enrich Uranium. Vulnerabilities in critical infrastructure
According to Kaspersky Labs’ Threat Landscape for Industrial Automation Systems 2016, a quarter of all cyber-attacks reported to their Internet security service were aimed at industrial computers such as PLCs and one industrial computer in five is attacked each month.
Mr McKeown said that any modern industrial equipment, process or infrastructure usually has multiple external network connections including:
_• Direct Internet Connection for remote Management access to the ICS
• OEM and supply chain organisations update industrial equipment
• Administration and maintenance systems and data (process health, logistics, etc.)
• Many in-house and third party line of business systems
• Government and other supervisory and regulatory systems and communications
• Portable media
The example of Stuxnet – which to date remains the only malware designed to physically destroy machinery – establishes the model for a cyber Pearl Harbor, says Mr McKeown.
He added: “Even the most critical infrastructure has many potential attack vectors over which the owners and operators may have partial or very little control. The answer to this vulnerability is extension of the scope of enterprise risk management to supply chain and digital risk.
“If any organisation owns critical infrastructure or plant or equipment where deliberate sabotage would have Financial, Infrastructural, Reputational, Market or Safety (FIRMS) consequences, they need to seriously question how they proactively manage the risk of sabotage via malware?"