There is universal agreement that modern warfare or crime fighting is not just about bullets, bombs and missiles in physical space. It’s also about hacking in cyber space.
But over the past decade there has been much less agreement over how much of a threat hackers are.
在一边是 - 他们中的一些高级政府官员 - 谁拥有warnedthat a cyber attack on the nation’s critical infrastructure could be catastrophic, amounting to a “cyber Pearl Harbor.”
Those warnings prompted the recent书由退休的ABC电视台“夜线”主播特德·科佩尔题为“熄灯:网络攻击,一个民族不备,生存的后果。”
其他专家只是认为作为有力,虽然威胁是真实的,应该认真对待,风险甚至还没有接近灾难性的。他们说,那些谁预测的灾难正在兜售FUD - 恐惧,不确定和怀疑。
该视图的最近的一个例子是一个op-edin the Christian Science Monitor by C. Thomas, a strategist at Tenable Network Security, who uses the nickname Space Rogue.
他认为,对美国电网或其他工业控制系统(ICS)的最大的威胁不是一个熟练的黑客,但松鼠。他们与其他小动物一起,“原因几百台的停运每一年,但已造成物理伤害是众所周知的唯一确认的基础设施的网络攻击是Stuxnet蠕虫(计算机蠕虫,在伊朗核计划用于摧毁离心机)“ 他写了。
这一理论被其他费用立即有争议rts, including Thomas P.M. Barnett of Resilient, who wrote in ablog postthat the comparison is like calling the common cold a “bigger” threat than cancer. The cold is much more frequent, but is much less of a threat than cancer – or as he put it, cancer is “low probability but far higher impact.”
尽管如此,侵入电网和其他重要基础设施的外国敌对民族国家越来越多的证据足以让甚至反FUD专家想知道的一个主要攻击“低概率”是如何。
The Associated Pressreportedlast month on security researcher Brian Wallace’s discovery that hackers had penetrated Calpine Corp., a power producer with 82 plants operating in 18 states and Canada.
While accurate attribution of attacks is notoriously difficult, digital evidence pointed to Iran. Wallace found that the hackers had already taken engineering drawings, some labeled “mission critical,” that were detailed enough to let the intruders, “knock out electricity flowing to millions of homes.”
And this was just one incident of about a dozen during the past decade in which, “sophisticated foreign hackers have gained enough remote access to control the operations networks that keep the lights on,” the AP said, quoting anonymous experts.
华尔街日报reportedon one of those last month – that in 2013, Iranian hackers infiltrated the control system of a dam in Rye, N.Y., just 20 miles outside of New York City.
[ BACKGROUND ON CSO:可怕的警告没有产生更好的关键基础设施的安全性]
And the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)最近说它已收到涉及2015财年的关键基础设施,从245前一年,或20.4%的295个事件报告。
罗伯特·李, cofounder, Dragos Security; former U.S. Air Force cyber warfare operations officer
这些入侵没有导致已经撤下电网甚至还部分已知的网络攻击。But Robert M. Lee, cofounder of Dragos Security and a former U.S. Air Force cyber warfare operations officer, told the AP that if relations between Iran and the U.S. degrade, “and Iran wants to target these facilities, if they have this kind of information it will make it a lot easier.”
That does not mean he thinks Armageddon is at hand, however. Lee told CSO that even with that kind of access, he doubts attackers could, “control the operations networks or damage infrastructure enough to keep power down for longer than a few hours.”
杰里米·斯科特,高级研究nalyst at Solutionary, has a similar view. “The threat is real and serious – we are highly dependent on critical infrastructure for our daily lives and it would have a significant impact,” he said, “but it would not be the crippling blow that some would think.”
Of course, both Lee and Scott stress that they are speaking in the present tense. The possible damage from a cyber attack could grow worse if hostile hackers improve their skills over time.
Jeremy Scott, senior research analyst, Solutionary
马克Gazit,ThetaRay的CEO也认为,黑客目前的威胁不是在灾难性的水平,但相信随着民族国家的黑客们变得更加复杂,“他们的影响肯定是越来越接近到ICS的任务,关键时刻操作“。
Meanwhile, the cyber security of ICSs remains notoriously weak – they were originally designed for reliability, not for connectivity, and are difficult to upgrade or replace. “A lot of security problems are baked in,” said Kevin Fu cofounder and chief scientist at Virta Labs.
“It’s legacy hardware and the systems are unusual – it’s not your desktop computer of 2016. Even if you had the budget, they’re hard to buy,” he said.
事实上,詹姆斯·刘易斯,在战略和国际问题研究中心(CSIS)技术和公共政策项目主任,高级研究员,著名told哥伦比亚广播公司的“60分钟”于2009年11月,是主要的发电机需要三四个月的供货周期只是对它们进行排序。
Mark Gazit,CEO,ThetaRay
“这不是一样,如果我们分手之一,我们可以去五金店和得到的替代品,”他said.
Of course, even hostile nation states would be unlikely to seek to disable the U.S. in a major way, since it would be seen as an act of war that would trigger a ferocious response, and could also have a major effect on the stability and economy of every other nation in the world, including their own.
There are also assumptions, even if they are not confirmed officially, that if nations like North Korea, China, Russia and Iran have breached ICS facilities in the U.S., the U.S. has penetrated their facilities as well, creating the cyber version of the balance of terror.
李·斯科特问的是,双方发表了一个简短,“无可奉告。”
But Gazit said he suspects it is true. “History shows that no playing field ever gets too one-sided,” he said. “When one side develops skills, the other side develops skills as well.”
None of those constraints apply, however, to terrorist groups like the Islamic State (commonly called ISIS), which have an apocalyptic view of international relations. They are not seen as a cyber threat now, but could become one.
“Groups like ISIS are mostly using the Internet for recruiting purposes,” said Justin Harvey, CSO at Fidelis Security, “but I don’t think this will always be true. It is only a matter of time before ISIS gets their collective stuff together and starts funding cyber terrorism.”
Fu believes that the best anyone can do in analyzing cyber threats is an educated guess. “The risks are real,” he said. “Everything could be fine for 10 years, but there is no way of giving any meaningful assurance that it will stay that way.
“在什么时候会像恐怖分子的实体开发能力?我们不知道“。
这回来到其大多数专家同意的问题。无论是威胁级别是灾难性与否,美国ICS运营商需要提高其安全性。在技术这意味着改进和运行它的人的技能。
When it comes to technology, the emphasis should be on detection and rapid response more than on prevention, they said.
“停止投资了这么多的预防技术和重点检测平台,法医检查了威胁网络和端点的元数据,”哈维说。
Gazit同意。“利用先进的算法基于机器的解决方案,能够提供实时检测,可操作的情报和不间断的反应,”他说,“提供必要的警示人类,使他们可以在正确的时间正确的决定。”
According to Lee, “the big focus needs to be on the training and empowering of security personnel. The threat is a human adversary and it is foolish to think technology alone will stop a human adversary. To counter flexible and persistent adversaries requires empowered and trained defenders.
在组织方面,工业控制系统联合工作组是联邦机构和私营业主ICS之间的伙伴关系。
傅莹说,如果ICS运营商只会使用由美国国家标准与技术研究所建立了公式,他们将大大提高他们的安全。
“You need to think about the risks, about what controls you’re putting in place to mitigate them, and then how you are measuring them to see if those controls are effective,” he said. “People tend to forget the third one, but it’s very important.”
这个故事,“多少钱的风险是美国的关键基础设施?”最初由出版CSO .