Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Banks, the oil & gas industry, the energy grid under constant attack by hackers

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

November 30, 2015

The backbone of the United States: banks, the oil and gas industry, the energy grid and many more industries are under constant attack by hackers from all over the world, and not just from China and Russia.

However, the biggest and most critical cyberattacks, the ones that can blow up chemical tanks and burst huge power dams, are kept secret by a law that shields U.S. corporations from the obligation of reporting such attacks.

And, believe it or not, they're kept in the dark forever, whether you like it or not. For example, you could live near or work at a major facility that has been hacked repeatedly and investigated by the U.S. government over and over. But you'd never know about it-- ever!

Worse, that secrecy could hurt efforts to defend against future attacks, experts have warned for the past several years.

That 'foggy' information that is publicly available confirms that there is plenty to worry about, and the trend appears to be worsening.

Energy utilities and oil and gas suppliers often make simple mistakes, easily exposing the power grid to terrorist attackers, hackers and foreign spies.

A recent investigation has reviewed public documents issued by regulators that reveal widespread security flaws in system-wide installations.

For instance, there was a power company that didn't bother to turn off communication channels on its gear at mini-stations along the electrical grid, leaving access points completely open to hackers.

As a result, the power company was fined $425,000 by its regulator in August of this year. Another electrical company forgot to patch software on two thirds of its devices, thus exposing them to known security flaws exploited by hackers. It got a $70,000 fine in February 2015.

There are plenty of other examples, and all posed a serious or substantial risk to portions of the electrical power grid, those documents reveal.

But the worse part of the report is that hackers do sometimes get through, and that's the really the concerning part.

In an industry newsletter available online, the Department of Homeland Security occasionally documents hacker cyberattacks, though only with vague descriptions that don't mean much to the average layman.

In early 2013, hackers attacked several natural gas pipelines in the U.S. midwest, trying to break into the communication network that tells industrial machines what to do and how to do it.

In 2014, a hacker got into the network that controls industrial equipment at a public utility. But DHS won't even say where it is in the United States.

We don't know what happened in either case or to the dozen others that stay under the radar each year. Neither do the very computer experts who train the nation's next generation of hacking defenders.

Worse, even regulators themselves can't even use that information to make safety regulations and help improve the system and protect it from hackers.

"Most people don't have any clue to any of this ," said David Kennedy, whose firm TrustedSec investigates potential attacks on power plants and other critical systems in wide use today.

Steven Aftergood, who leads the project on government secrecy at the American Federation of Scientists, is deeply concerned "by categorically withholding this information, the government is concealing the very factors that shape homeland security policy."

"Instead of a precise picture of an actual threat, the public is left with only vague generalities. The resulting deliberative process is crippled right from the start, and that's where most of the issue lies today," Aftergood warned.

And it's not just the energy industry. Every company that's considered "critical infrastructure" can keep major hacks secret-- the telecommunications industry, large banks, major chemical makers, pharmaceuticals, the list goes on and on...

The only reason you hear about the small-time stuff such as when a retailer loses your credit card is because some states have laws demanding credit card disclosures and such.

The really potentially dangerous hacks and the most concerning to the public stay in the dark permanently, and that's really the troubling part of the equation.

So you might reasonably ask: why all the secrecy? In the wake of the 9/11 terrorist attacks, government officials were worried about protecting the nation's critical infrastructure. And you sure can't blame them for that.

So to encourage the sharing of information about major physical and computer-based attacks, the 2002 Homeland Security Act included special protection for U.S. companies-- any evidence they submit is considered "Protected Critical Infrastructure Information" (PCII) and kept from public disclosure at all times.

A 2009 DHS policy manual explains the policy to law enforcement, government agents and industry. The manual explicitly says this information is to be kept out of the hands of journalists, regulators and the public at large.

The media "may not receive PCII" unless a company formally approves it. A safety inspector "does not have a valid need-to-know" if he or she plans to use that information "for regulatory purposes."

The same manual explains what this means in practice. What happens if a severe security vulnerability exists that makes train stations prone to terrorist attacks? If that information is categorized as "PCII," a federal regulator can't mention it, even when writing reports to push for better safety regulations at train stations.

At an energy industry conference in Philadelphia in October of this year, Caitlin Durkovich, assistant secretary for infrastructure protection at DHS, repeatedly told company executives they'd never have to worry about public exposure.

"We go through extraordinary measures to make sure that information cannot get to someone who'd want to hurt you," she said. "We cannot make it available to regulators, sunshine laws or public records. It's part of building this trusted relationship with you."

Source: The Wall Street Journal.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer