May/June 2018

Communities: Industry
Recent Cyberattacks Target Critical Infrastructure

When engineers explain their work to children, they sometimes describe engineering as the thinking behind modern conveniences like lights that brighten a room with the flip of a switch and clean water that fills our glass when we turn the faucet.

But what if the lights don’t come on or water doesn’t come out of the tap? On March 15, engineers were reminded yet again how easily these conveniences can be disrupted by malicious actors. According to an alert from the US Computer Emergency Readiness Team, the Russian government is targeting US government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.

The widely reported alert (CERT Alert TA18-074A) explains the technical details behind Russia’s techniques for targeting industrial control systems and supervisory control and data acquisition systems. It doesn’t, however, list specific companies that were attacked and it doesn’t mention specific acts of sabotage.

Days after the alert, other high-profile attacks occurred. The computer systems for the City of Atlanta were held hostage by ransomware, and four US natural-gas pipeline operators were forced to temporarily shut down their computer systems after a cyberattack.

These incidents have heightened concern among elected officials, industry leaders, and the public. But solutions haven’t been easy to find. A decade ago, the National Academy of Engineering announced that securing cyberspace was one of its 14 Grand Challenges of Engineering. Today, NAE’s website summary of the challenge says, “research and development for security systems has not progressed much beyond a strategy akin to plugging the hole in the dike—cobbling together software patches when vulnerabilities are discovered.” NAE adds: “The problems are currently more obvious than the potential solutions.”

The depth of the cybersecurity problem, particularly for industrial control systems, was revealed in a January report from Positive Technologies, a global enterprise security firm. Since 2010, when the Stuxnet computer worm hit, security at most industrial facilities has improved little, the report says. In 2017, the number of new disclosed vulnerabilities found in ICS components increased over the previous year, and 61% of the new vulnerabilities were classified as either critical or high severity.

A big part of the problem, according to the report, is the common practice of connecting ICS equipment to the Internet. Using publicly available search engines, hackers can find IP addresses of switches, interface converters, and gateways, which places building systems at risk.

By far, the US tops the list of countries with the most Internet-accessible ICS components, followed by Germany, France, Canada, Italy, and China. With more targets, hackers have a wider range of attack options, the report says. “Responding to sophisticated attacks on ICS components requires large amounts of preparation and planning,” the report adds. “Before the first line of code is ever written, ICS developers must design the security mechanisms necessary to protect ICS components from attack.”

To better prepare students to take on cybersecurity challenges, the accreditation organization ABET has released proposed accreditation criteria for engineering programs. The program criteria for cybersecurity engineering will complement existing ABET Engineering Accreditation Commission criteria for engineering programs and focus on fundamental knowledge and principles of cybersecurity within the engineering discipline.

ABET has also released accreditation criteria for cybersecurity within the realm of computer science, information systems, and information technology.

The two sets of criteria are available for public review and comment through June 15. See www.abet.org.