While the amounts stolen aren’t insignificant, they pale in comparison to the 850,000 bitcoins, worth close to $450 million, that disappeared from Japanese-based exchange Mt. Gox in 2014. The exchange, believed to have handled 70 percent of all bitcoins, has since closed and entered bankruptcy. Japanese police believe the theft was an inside job.
As is often the case with technology, the exchanges have thus far focused on functionality and usability, with security an afterthought, said Steve Donald, CTO of Hexis Cyber Solutions. Many of the attacks relied on social engineering to gain a foothold on to the exchange’s network. Exchanges need to adopt secure code development practices, as well as dynamic and static code analysis to protect their applications. “Bitcoin exchanges should be highly incented to improve security as this will be a requirement before this new type of currency will achieve wide scale usage,” Donald said.
Cyber goes real-world
Cyber attacks that result in damage in the physical world happen far more often on TV shows than they do off-screen. It was scary when the Shamoon malware attack partially wiped or totally destroyed hard drives of 35,000 computers at Saudi oil company Aramco back in 2012. We saw the blurring between cyber and physical again -- to be fair, the attack actually happened in 2014 and the report providing the details were released shortly before the end of the year -- at an unnamed German steel mill when attackers manipulated and disrupted control systems. The blast furnace could not be properly shut down, resulting in “massive” damages, according to reports.
There is a tendency to think cyber attacks are about stealing data or knocking systems offline. There can be real-world damage, too. An attacker can potentially compromise a pharmaceutical company’s production process or quality control systems and modify the recipe for a particular drug. Hospital systems are also vulnerable to attack, especially since many legacy systems still in use cannot be secured. As much as 20 percent of hospitals are vulnerable to attacks that can disable critical care systems, Gallicchio said.
“People can be physically hurt from a cyber attack,” Gallicchio said.
Industrial control system security comes up a lot in conversation, but the incident at the German steel mill highlights the fact that the threat is no longer theoretical. One of the challenges facing industrial control system security, especially in manufacturing, is the simple fact that the systems are typically controlled and administered by operations and engineering departments, not IT. The operations and engineering teams are focused on reliability and make decisions at the expense of security in order to maintain uptime.
Improving defenses requires “a mix of basics and more contemporary defenses,” such as ensuring proper segmentation and access controls between different networks, Donald said.
Sign up for CIO Asia eNewsletters.