Destructive hacking attacks on critical infrastructure appear to be more common than previously assumed

Destructive hacking more common than previously thought

Hacking attacks aimed at destroying data or manipulating industrial equipment are far more common than previously thought, according to a new survey.

A poll of critical infrastructure organisations in North and South America released today found that 44 per cent had dealt with bids to delete files, 54 per cent had encountered "attempts to manipulate" their equipment through a control system and 40 per cent had faced attempts to shut down their computer networks.

The poll by the Organization of American States (OAS) found that only 60 per cent of the 575 respondents said they detected any attempts to steal data, long considered by far and away the predominant hacking goal.

Destruction of data is relatively easy compared to penetrating a network, so the infrequency of publicised incidents has often been ascribed to a lack of motive for attackers.

But destructive attacks or manipulation of equipment are likely to be seriously underreported in the USA, in part because breach-disclosure laws in more than 40 states focus on the theft of personal information.

Securities and Exchange Commission guidelines require publicly traded companies to disclose breaches with a potential material financial impact, but corporations can argue that deletion of internal databases, theft and manipulation of equipment are not material.

Chris Blask, who chairs the US Department of Homeland Security-led Information Sharing and Analysis Center for cybersecurity issues with the industrial control systems says much more is occurring at vital facilities behind the scenes, and as shown by the OAS report.

"I don't think the public has any appreciation for the scale of attacks against industrial systems," he said. "This happens all the time."

The survey went to companies and agencies in crucial sectors as defined by the OAS members such as communications, security and finance and almost a third of the respondents were public entities.

Respondents were anonymous and were not asked whether the attempted hacks succeeded or the scale of losses from breaches. The survey did, however, allow participants to provide a narrative of key events if they chose, although those will not be published.

Adam Blackwell, secretary of multidimensional security at the Washington, D.C.-based group of 35 nations said that one reported breach at a financial institution saw hackers steal money from accounts and then deleted records to make it difficult to reconstruct which customers were entitled to what funds.

"That was a really important component" of the attack, Blackwell said.

In another case, thieves manipulated equipment in order to divert resources from a company in the petroleum industry and Blackwell said this highlighted the danger of criminal thefts of resources, such as power, forcing blackouts or other safety issues.

Tom Kellerman, vice president of security company Trend Micro, which compiled the report for the OAS, said other attacks came from political activists and organised crime groups.

"We are facing a clear and present danger where we have non-state actors willing to destroy things," he said. "This is going to be the year we suffer a catastrophe in the hemisphere, and when you will see kinetic response to a threat actor."

Spokesman for the Department of Homeland Security SY Lee said the department did not keep statistics on how often critical US institutions are attacked or see destructive software and would not "speculate" on whether 4 out of 10 seeing deletion attempts would be alarming.

US political leaders cite attacks on critical infrastructure as one of their greatest fears, and concerns about protecting essential manufacturers and service providers drove a recent executive order and proposed legislation to encourage greater information-sharing about threats between the private sector and government.

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them

Close