A new wave of cyberattacks reportedly aimed at industrial control systems comes at a time when private companies and government are still struggling to protect the nation's critical infrastructure, experts say.
The New York Times reported on Sunday that the attacks were aimed mostly at U.S. energy companies. Rather than looking for intellectual property or sensitive information, the hackers were using probes to look for ways to seize control of processing plants.
While government officials did not know if the attacks were state-sponsored, the origin appeared to be somewhere in the Middle East.
The fact that senior government officials who spoke to The Times were unable to pinpoint the source of the attacks indicates a lapse in the work of the intelligence community, said Stewart Baker, a partner at the law firm Steptoe & Johnson and a former assistant secretary for policy at the Department of Homeland Security (DHS).
"The most disappointing aspect of the story so far is the inability of the intelligence community to attribute the probes," Baker said. "That's embarrassing."
"The intelligence community has faced cyber intrusions for 20 years, yet it has been unable or unwilling to provide much useful attribution information," he said.
The intelligence community is not the only part of government that has struggled in helping the nation defend against cyberattacks. Congress remains at odds over the privacyimplications of legislation that would require companies to share data with government agencies.
President Barack Obama issued this year an executive order requiring government agencies to share cyberattack information, but the reverse will require action by Congress.
Government regulation by itself is not a panacea. Joe Weiss, an industrial security consultant and managing partner of Applied Control Solutions, said electric utilities often refuse to be a test bed for cybersecurity technologies because of the "onerous audit requirements." The mandates are contained within the Critical Infrastructure Protection rules established by the North American Electric Reliability Corp.
Weiss has been able to find only one electric utility willing to be a test bed. That company is too small to fall under NERC CIP."I shouldn't be in a position to say 'only,'"Weiss said. "There should be a few or one of (many), but not only."
Attackers bent on sabotage is not new. Many experts believe the pace of cyber sabotage efforts increased after the U.S. and Israel damaged Iranian nuclear facilities several years ago with the Stuxnet worm.
Iran is believed to have retaliated last year with the attack on Aramco, Saudi Arabia's national oil company and one of the world's largest producers. The intruders wiped data from office computers, but failed to reach production systems, which were the main target.
Sign up for CIO Asia eNewsletters.