Industrial control systems used in power plants and factories are increasingly at risk of being hacked because they are often connected to the public-facing Internet, a government cybersecurity official warned on Wednesday.
At a conference in Miami attended by upwards of 300 critical infrastructure specialists, Marty Edwards, the head of the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, said the computer networks that control the operations of industrial processes pose a very real risk of being exploited on account of being connected to the Internet.
“I am very dismayed at the accessibility of some of these networks. … They are just hanging right off the tubes,” Mr. Edwards told attendees at the S4 conference, Reuters reported.
Even if classified and highly sensitive networks are adequately protected, failing to isolate a system and instead allowing it to interface with the Internet opens the door for hackers who may be able to exploit vulnerabilities and hop from one computer to another.
Mr. Edwards did not cite any specific recent incidents, but he suggested that the number of successful intrusions has been increasing, Reuters reported.
“We see more and more that are gaining access to that control system layer,” he said.
The latest warning came only weeks after it was publicly revealed that hackers had infiltrated the control system used by a hydroelectric dam near New York City in 2013.
More recently, U.S. cyber experts have reportedly begun assisting Ukrainian authorities probing the apparent cyberattack that briefly crippled portions of the country’s power grid late last month, and ICS-CERT said in an alert earlier this week that malware used in the attack appears to share similarities with code that had been previously deployed to infect critical infrastructure in the United States.
Last week, Dr. Kevin Curran, a senior member of Institute of Electrical and Electronics Engineers (IEEE) and a security lecturer at Ulster University, told Computing, a U.K.business technology publication, that carelessness on the part of a control systems operator is all that could be required to ravage an entire network like the recent cyberattack in Ukraine.
“There is no reason to believe the U.K. could not suffer a similar attack. There are many employees who regularly access control systems remotely thus leaving the door open for breaches,” he told Computing. “These mission-critical systems are also often the last to be patched.”
In the U.S., meanwhile, an inspector general’s report released by the Nuclear Regulatory Commission this week concluded that the federal government’s networks have seen a 9.7 percent increase in computer security incidents between 2013 and 2014, whereas hack attempts waged against the NRC surged by 18 percent during that same span.