After warning for years that the U.S. electric grid and other critical infrastructure are dangerously vulnerable to hacking, security experts fear it may take a major destructive attack to jolt CEOs out of their complacency.
While awareness about cybersecurity has increased in recent years, infrastructure consultants say the industry remains reluctant to spend the money needed to upgrade their aging equipment – especially in the absence of much pressure from the U.S. government, regulators or shareholders.
“I’m convinced the C-level executives don’t understand the risks they’re accepting,’” Digital Bond CEO Dale Peterson, a leading expert in industrial control systems, told the Reuters Cybersecurity Summit in Washington this week.
“These systems are insecure by design,” said Peterson. “If they truly understood the risk they were taking, they would find it unacceptable.”
Peterson and other security experts say the problem lies with tiny computers known as PLCs, or programmable logic controllers, used to control processes in energy plants, water treatment facilities, factories and other industries. The PLCs are designed to blindly obey all commands, regardless of what impact they might have, according to the experts.
To wreak havoc, someone would need only to hack into that system and send malicious instructions to the PLC, such as to cause an explosion at an energy facility or chemical plant, flood a water system, or poison food supply.
Top executives at critical infrastructure companies think of cybersecurity as a standard business risk and are reluctant to spend millions of dollars to mitigate that risk, said Stuart McClure, chief executive of cybersecurity firm Cylance.
They “can’t seem to get out of their own way of paranoia to a point of paralysis,” McClure told the summit. “What government does have to do, unfortunately, is to step in and provide a stick of some sort.”
The Obama administration has encouraged industries to test themselves against a newly drafted set of cyber standards, and has encouraged more sharing of information about cyber threats and best practices.
Experts say that is a step in the right direction, but there is still a long way to go. Some urged the Department of Homeland Security to mandate stricter regulations, but the agency does not have that kind of enforcement power.
“I think what they benefit most from is not just hard and fast regulation: ‘You shall do it this way,’” Department of Homeland Security Jeh Johnson said at the summit. “I don’t believe that the answer is to regulate standards.”
CYBER REPORTS NEARLY DOUBLE
DHS’s Industrial Control Systems Cyber Emergency Response Team says it responded to reports of 256 cyber incidents last year, more than half of them in the energy sector. While that is nearly double the agency’s 2012 case load, there was not a single incident that caused a major disruption.
The incidents include hacking into systems through Internet portals exposed over the Web, injecting malicious software through thumb drives, and exploitation of software vulnerabilities, DHS said.
“I fear that things won’t change until there is a major attack and people are shocked into taking action,” McClure said.
Still, he and several other summit guests said they have noticed an increase in interest in cybersecurity following the data breach at Target Corp, which led to the departure of the U.S. retailer’s chief executive, Gregg Steinhafel.
“This is ringing bells at the C-suite,” said Charles Croom, vice president of cybersecurity solutions at Lockheed Martin Corp. “This is just the beginning of a bow wave.”
While some security experts hope the government can take a stronger role on cybersecurity, some U.S. officials say the private sector needs to step up.
The new head of the National Security Agency, Admiral Mike Rogers, said he hopes industry and the government can work quickly enough to improve communication about emerging cyber threats and prevent catastrophes.
“I don’t want a major disaster being the driver that pushes us,” Rogers told the summit.
(Reporting by Jim Finkle and Alina Selyukh; Additional reporting by Doina Chiacu, Mark Hosenball, Joseph Menn and Andrea Shalal; Editing by Tiffany Wu)