By Robert Albach
Security is hard enough without your executives knee-jerking to the latest FUD (fear, uncertainty, and doubt) filled headlines and demanding answers or solutions to problems you either already solved or don’t even apply.
It gets worse when those headlines themselves are in error and your over-subscribed teams end up burning time you don’t have, or even worse, altering sound thoughtful policy just to give a positive “fixed it” answer to the wrong question.
We understand that clicks equal money for news outlets, but they can cost you plenty when you find yourself on a quixotic quest backwards.
So, let’s look at some of those bad headlines, rewrite a few, and make some observations along the way.
First, we look back to one of the more popular myths of modern IoT incidents – the Target breach of 2013. Yes, more than 41 million customers were impacted. Yes, Target had to pay over $18 million as a result. No, the attackers did not get in through an HVAC system.
Your executive might be forgiven for thinking the point of sale (POS) malware somehow leapt from the AC ducts onto the sales registers if she had read this headline: “Target attack shows danger of remotely accessible HVAC systems.” What really happened was more sensible; a remote billing system was in close logical proximity to the POS system at Target HQ.
Fortunately, security mavens have more reliable sources such as Brian Kreb’s posting with an appropriate title of: “Target Hackers Broke in via HVAC Company.” Have retail companies spent cycles trying to find links between their HVAC systems and POS systems? Yes. Did they find them? Maybe, but mostly no I’m certain. If they did, then time well spent. For most though, that time was spent when time was not plentiful.
Let’s move to more incendiary claims.
Specifically, explosions caused by attackers. There is a whole class of petroleum-related attacks some real, but some not.
In the realm of explosive headlines, however, we will leap past the great Siberian pipeline hack to a more recent claim. That of the Turkish pipeline explosion of 2008. In this case we have this headline: “Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar.” Cyberwar! Explosions! Can’t get much more exciting than that, except there is no evidence that is what happened. If you want to call this incident the opening of a “New Cyberwar,” then it was strangely overlooked at last month’s Cyberwarcon in Washington, D.C.
What really happened is less certain, but lots of discussion about what did not happen is a good many of the assumptions used to make the logical leap to a cyberattack. Some good discussion with commentary from folks with background in the area at this link. Were there changes made to pipeline security as a result? Maybe, but like the alleged hack itself, there is no visible evidence of it.
Let’s finish with a closer-to-home and today discussion about another pipeline incident. The great pipeline shutdown of 2018. Didn’t hear of it? Four pipelines in the U.S. were in fact shut down by a cyberattack this March. Most curiously very few people seemed to have heard about it. Check these headlines:
“Insecure SCADA Systems Blamed in Rash of Pipeline Data Network Attacks.” Yes, there were pipeline shutdowns. No, insecure SCADA Systems had nothing to do with it. Hopefully nobody got a rash.
“Cyberattack Pings Data Systems of At Least Four Gas Networks.” Yes, it was a cyberattack. Yes, it hit somebody’s data systems. No “ping” was not involved. I don’t know if the use of “ping” was on purpose or not, but I did receive requests about ping attacks hitting pipelines.
“Energy Transfer says third-party service provider hit by cyber-attack.” Yes, there was a cyberattack and it targeted the third-party service provider not the pipeline itself and not even the pipeline owner. Good headline!
So finally, we have a real attack and at least one article headline managed to accurately reflect the incident. For some though, I know it was too late. The headlines grabbed, emails flew, and more than a few weekends and weeknights were spent crafting reassuring notes as a result.
Robert Albach is senior product line manager with IoT Security at Cisco.