It seems with each passing week another big name ‘scalp’ is added to the growing number of organisations that have been subject to major cyber attacks, in a list that now includes Sony, Amazon, the IMF and the CIA among its ranks.
At this moment teenager Ryan Cleary, alleged member of the LulzSec ‘hacktivist’ outfit, is in custody accused of infiltrating the UK’s Serious Organised Crime Agency (SOCAO) and quite possibly others too.
But arguably, it is attacks on the likes of US defence contractor Lockheed Martin last month that have awoken engineering and infrastructure organisations to the risks they potentially face.
And perhaps one of the most worrying implications of cyber attacks for engineers is that the damage isn’t always limited to data in networks and systems – rather, it can get very much physical too.
While details are still sketchy (especially with regards to the perpetrators), it looks like the stuxnet worm that infected the Natanz uranium-enrichment plant in Iran last year seriously set-back their (apparently peaceful) nuclear programme by crippling vital centrifuges.
Given the proliferation of automated systems it should perhaps come as no surprise to the engineering community that infrastructure is vulnerable – and indeed warning signs were there well before stuxnet.
In 2007 an experiment dubbed ‘Aurora’ conducted at the US Department of Energy’s Idaho lab showed that a remote hacker with a basic internet connection could completely take out a generator. Apparently, engineers who were fully aware of the experiment were nevertheless aghast at hearing a grinding snap from within the 27-ton steel giant as black smoke began pouring out.
And back in 1982 the CIA launched a ‘logic bomb’ attack on a Soviet gas pipeline in Siberia causing it malfunction to explode in what was described by a air force official Thomas Reed as ‘the most monumental non-nuclear explosion and fire ever seen from space.’
The big question is how can engineering firms protect themselves against a threat that is so diffuse and that so few people understand.
A few weeks ago I attended an award ceremony for Cyber Security Challenge UK – an initiative with some powerful corporate backers that hopes to find talent and ensure it doesn’t end up on the path Clearly seems to have taken.
The heads of cyber security for some major names spoke, including National Grid, BT, and the London Clearing House (where billions of pounds of critical economic transactions pass through each day) – all giving rousing lectures on ‘keeping the barbarians from the gate’ in the case of the LCH.
You would expect, and certainly hope these outfits have the finances and resources to tackle threats, but what about companies where cyber security has not previously been seen as a priority.
I spoke with Mohan Koo, head of cyber security consultants, Dtex Systems, which has previously worked with Barclays and T-mobile, but is increasingly seeing smaller engineering clients.
‘For engineering companies one of the things that needs to be recognised is that security can not be developed as an afterthought to the projects they’re building. Generally priority is given to the availability of services and facilities, and that usually outweighs the requirement to have them 100% secure.
‘Security needs to be built into the framework and foundation of each engineering project to ensure that the security concerns are tackled from the root so then it’s very easy to manage going forward.’
And Koo argues that it’s not just about ‘holding the fort’ and erecting barriers to the outside world – companies need to accept, and deal with, the uncomfortable truth that sometimes the threat comes from within.
‘These are not opportunistic attacks, they are specifically targeted with a concerted effort, whereby these outsiders have to have had some internal assistance – whether knowingly or unwittingly – about the security of that network and infrastructure because they need that information to a certain level.’
In 2007 F1 team Mclaren was fined a record US$100 million and excluded from the 2007 Constructors’ Championship for being in possession of Ferrari technical data. After the incident Koo said he was approached by another F1 team keen to protect its innovative assets.
‘They started to realise that their intellectual property was extremely valuable – years of hard work in research and development that need to be managed in the same way you would protect money in a bank.
‘The industry woke upto the fact that they really need to know where their data is going and who’s got access to it – and not only who’s taking their data but who’s bringing data onto the premises because they can be punished for that.’
But generally Koo says most companies approach his firm after a breach has occurred when it’s a case of damage limitation. Ultimately, he says an entire culture change is needed whereby every single employee is a ’security operative’ and is savvy to the risk their employer faces.
I suspect the reality at the moment is probably somewhat short of this in most engineering firms.