Last week’s ABC News article about trojan horses on the nation’s critical national infrastructure (CNII) was a good report, but hardly a revelation to those of us who have been monitoring this threat for years.
This is the same scenario that NIST and NSA first raised to the power industry, and those responsible for the critical infrastructure of the USA, more than five years ago.
Hacking Critical National Infrastructure in a Few Basic Steps
It’s simple for intruders to obtain a list of weak systems from Showdan with a credit card. From there they can take over CNI systems using well known exploits, or powerful and secret zero day attacks available to many governments around the world. In a few hours you can own the infrastructure of an entire country.
Unfortunately, many in the power and infrastructure industry have literally no interest in implementing proper IT security. In fact, modern security is often considered a nuisance and an unproductive expense. The prevalent attitude is that utility employees should be able to get to anything and everything with no controls and accountability, so that they can manage systems in real time with no delays or inhibitors.
CNI systems often have well known factory default passwords, as well as passwords stored on spreadsheets and openly shared on the company network. Or they’re stored in easy to crack vaults provided by off-shore vendors. The net effect is that life-critical CNI services are trivial to exploit by advanced nation-state attackers.
Taking Initiative to Secure Critical National Infrastructure
Go forward plan: don’t aggravate other nation states and/or fix the security of these systems. The current US administration has not implemented strong security requirements for CNI systems. My best guess is that someone will need to die as a result of a nation state attack to get this administration to take concrete action to shore up this serious national problem.
It would be naïve and foolish to think that other governments would not utilize the same techniques used to compromise Iran’s nuclear refining capability on US companies and US infrastructure.