Former NSA boss Keith Alexander has warned that Western energy companies are unprepared for a potentially catastrophic cyber-attack on their systems.
General Alexander, who also served as head of US Cyber Command for four years, claimed on the sidelines of the IHS CERAWeek event last week that the sector needs something akin to an integrated air defense system to keep it safe in cyberspace.
“The greatest risk is a catastrophic attack on the energy infrastructure. We are not prepared for that,” he added, according to The Telegraph.
A “doomsday” scenario would be one in which oil refineries, power stations and the electric grid were all taken out in a quick fire cyber-attack, possibly in combination with an attack on the banking system.
The four-star retired general added that five countries are skilled at the highest level in fighting cyber warfare: the US, UK, Russia, Israel and Iran.
Iran has already been pegged by security firm Cylance as “the new China,” in a report which claimed state-backed operatives made off with information which could enable successful attacks on SCADA systems in the future.
There was no mention of China by Alexander, although current NSA boss Michael Rogers went on record last year as claiming Beijing could launch attacks causing “catastrophic failure” in the water and energy sectors.
Lars Thoresen, CSO of NTT Com Security, argued that SCADA systems have historically been protected by virtue of “security by obscurity” and by being cut off from the internet.
That’s not the case now and although security gaps are being addressed, developers have not yet reached “methodological proficiency when it comes to building security features into the core functionality of systems,” he told Infosecurity by email.
“The attack capability of various groups is substantial, and coupled with the fact that some of them (ISIS) have gained physical access to several SCADA networks in Iraq and other places, there exists a potential for access to remotely linked installations outside their physical control,” he added.
“To sum up, the world in which SCADA systems operate has changed, and the SCADA systems have (in our experience) been generally slow to respond.”
John Shaw, VP of product management at the Sophos Enduser Security Group, told Infosecurity that the government needs to help critical infrastructure companies invest in more sophisticated tools and training.
“There is a real challenge for the energy sector. To stay secure involves keeping security software and patches constantly up to date, but running critical infrastructure safely means minimizing change. So in reality, energy control systems that are the most critical to protect are often run on computers that are never or very rarely patched or updated,” he added.
“Because of this, they carry way more vulnerabilities than the computers we typically use at home.”
The solution is investment in “whitelisting and lockdown” as well as memory and content scanning to reduce the avenues of attack, and technologies and human resources to spot signs of compromise, Shaw explained.