Most cyber attacks are flying under the radar because companies don’t want to expose their weaknesses and scare off their customers.
It is only those widespread assaults that are making the news — such as the Stuxnet virus allegedly sent by the United States and Israeli governments that is reported to have to have set back the Iranian nuclear program. Governments using those worms and viruses to go after their adversaries are one thing. But criminals using them to extort money from businesses is another.
The persistent threats prompted Congress to act and in December 2015, President Obama signed into the law the Cyber Security Information Sharing Act that makes it easier — and voluntary — for companies to share their sensitive information with the government, while preventing the identifiable data from getting into the wrong hands. It all comes in the wake of attacks on Target and and Home Depot, where customers had their financial info stolen.
“Cyberattack threats are significant and continuously evolving in sophistication,” says Brian Christensen, executive vice president, global internal audit for Protiviti. “The rapid introduction of new technologies, combined with the growing frequency and magnitude of corporate cybersecurity lapses, is driving internal audit to increase its IT audit capabilities each year.”
The global consulting firm surveyed more than 1,300 internal audit professionals, including more than 150 chief audit executives, and found that 73 percent of organizations now include cyber security in their internal examinations. That’s a 20 percent increase over last year.
While much of the attention has been in information technology, it is now on limiting companies’ business risks, the firm adds. Outsiders are breaking in, for example, by unsuspecting workers who download malware and spyware that invade control systems. The result could be anything from taking proprietary information to killing the power for a whole city, or entire industrial campuses.
Indeed, the electric grid is a fat target. It is the vehicle by which electricity flows and it is therefore a critical economic asset. After all, keeping the lights on and maintaining commerce are fundamentals that preserve lifestyles and well-being. It’s estimated that a single brownout can cost as much as $10 billion, which comes in the form direct losses as well as forsaken opportunities, according to the Federal Energy Regulatory Commission.
The electrical transmission network serves more than 300 million people and it is comprised of 200,000 miles of wires, says the congressional study. It is valued at more than $1 trillion — assets that are primarily owned and operated by private entities and ones that are interwoven into the fabric of the entire American economy.
Consider: The Great Blackout of 2003 that began in FirstEnergy’s territory and which was the result of unwieldy trees that had interfered with the lines, all compounded by a computer system error. Ultimately, 50 million people stretching from the Mid Atlantic states to the Northeast and into Canada were affected. That cost $6 billion and 11 lives.
Last September, the Energy Department’s Joint Cybersecurity Coordination Center said that there had been a steady barrage of assaults on the nation’s vital infrastructure and its energy laboratories. That report found that in a 48 month period ending nearly a year ago that 1,131 attacks occurred, with 159 of those successful, according to a USA Today story.
Grid operations are being protected by everything from frequent password changes to periodic patches to firewalls and upgrades. But it’s a never-ending battle. Setting priorities by identifying high-value assets and then restricting access is a good start, all while ensuring employees are well-trained and well-vetted.
“If privacy is breached, it shows a lack of competency and it feeds distrust,” says Larsh Johnson, chief technical officer at Siemens Smart Grid, in an earlier interview with this writer. “There are some cases where malicious operations could result in power outages.”
Unbeknownst to most, utilities are getting hit from all sides, he adds. For example, Xcel Energy is successfully fending off thousands of would-be attackers a month. A lot of other power companies are doing the same. It’s a good thing, given that customer information is relayed to data centers that gets uplifted to cloud-based storage operations — intelligence to be kept away from those with bad intent.
While cyber security is just now starting to get the attention of consumers, it has long been on the minds of corporate personnel — and the U.S. government. That’s why the cyber security law passed in a divided Congress. Digital communications is making businesses more competitive. But it is also making them more susceptible to foreign invaders.