"Over the course of 2013, we saw a record number of hackers probing nuclear power facilities, dams and critical infrastructures in the U.S.," says Tendell. Because the U.S. government often classifies these attacks as national security threats, it keeps the number of attacks secret. So, the count is likely higher than even Tendell knows. "If you want to get an idea of how many probes there are," says Tendell, "ask a corporate network security analyst what their firewall and intrusion detection systems look like on a daily basis."
Near term risks
In the near term, utilities and critical infrastructure are becoming more mainstream as targets of cyberterrorism. "The value of these targets is higher now that more institutions, organizations and governments are including cyber-attacks in real-world battle field tactics," says Tendell. Authorities are readily able to link many attacks to government funded hacktivist groups. In some cases, the very organizations tasked by governments will "out" their government sponsor when and if they are caught. "It's the old 'I-was-just-following-orders' excuse," says Tendell.
In the next few years, with U.S. legislation providing for increasing government regulation of critical infrastructure facilities, according to Tendell, the government may have mitigated the risk. But, even if regulation is enough to protect those assets, cyberterrorists could still seek out other targets.
Many local governments and local departments of transportation (DoT) are not very secure. This leaves local traffic targets open to attack. "Many local DoT still use outdated connection and management tools such as telnet and open web access portals that could be vulnerable to SQL Injection and attacks that weren't around when the systems came online," says Tendell. Imagine the chaos should city street lights fall under the control of cyberterrorists.
CSOs and CISOs thinking their enterprise is not at risk should remember that once unleashed, the same worms and viruses that cyberterrorists use on their intended targets can spread to other organizations.
Readiness in a time of cyberterrorism
CSOs and CISOs should know that customary corporate security cannot address the methods cyberterrorists use to perpetrate the majority of cyber-attacks. "They are not attacking your firewall. They are not attacking your DMZ. They are looking for social engineering routes, social media routes, email routes and phishing routes. They are looking to drop a flash drive somewhere and get someone to plug it in," says Tendell. Cyberterrorists are looking for any means to get an unwitting co-conspirator to open up a channel and give them permission to come in.
The biggest vulnerability might be the help desk. Anyone can call the help desk and attempt to solicit new information about the network. If the enterprise does not train those people to understand that, they might give that data out. "That information might actually lend to cyberterrorists bringing down the entire network," says Iadonisi.
Sign up for CIO Asia eNewsletters.