AMERICAN COUNCIL OF ENGINEERING COMPANIES
As cybersecurity risks and dangers mount, engineering firms must have a clear strategy and strong protections both internally and for public safety
By Samuel Greengard
It’s no secret that digital technology is radically transforming society. Yet, it’s also introducing unforeseen and remarkable risks. Over the last decade, hacking and cybercrime have evolved from an inconvenient nuisance to a persistent and ominous threat. Hardly a day goes by without news of a major breach somewhere in the world, often to the tune of millions of dollars or involving highly sensitive data and intellectual property. What’s more, the control of energy systems, transportation networks and a growing swath of other types of infrastructure are increasingly at risk for cyberattacks and cyberterrorism.
It’s no small matter. ISACA, a global association representing IT professionals, and the RSA Conference recently surveyed cybersecurity managers and practitioners and found that 74 percent of enterprise security executives expect a cyberattack in 2016. Consulting firm PwC reports that security professionals have witnessed a 38 percent increase in cybersecurity incidents over the last year.
Robert Parisi, managing director and cyber product leader at insurance brokerage firm Marsh, believes there’s a reason behind the uptick. “Today, breaches typically have a financial or political motive,” Parisi says. “Attack surfaces are growing with the Internet of Things (IoT) and connected devices; cybercriminals are becoming far more sophisticated, and the potential damage and losses can be devastating.”
Within the engineering field, cyberrisks are nothing less than terrifying. Security experts are increasingly detecting malware in computers and industrial controls. In the future, this could lead to acts of terrorism or cyberwarfare that might include a release of radioactive material in an urban area or the derailment of a train carrying highly combustible or poisonous chemicals.
The safety of today’s business and IT frameworks require a different way of thinking—and a far more sophisticated cybersecurity strategy. “Cybersecurity touches every market and every company,” says Biff Lyons, executive vice president and manager of the Defense and Security Division at Parsons Corp. “There’s a need to protect intellectual property as well as public infrastructure. Every project must involve strong cybersecurity from the start.”
High-profile cyberattacks and espionage have become the new norm in the digital age. The list of targets reads like a Who’s Who of business and government, including Anthem, Inc.; eBay, Inc.; Home Depot, Inc.; JPMorgan Chase & Co.; Target Corp.; Sony Pictures Entertainment; and the U.S. Office of Personnel Management. “The risks are large and growing,” says Matt Devost, president and CEO of FusionX, a security division of consulting firm Accenture.
Yet, the dangers aren’t limited to servers and personal data. Cyberattackers seeking to sabotage systems may take aim at industrial controls used at facilities, which could lead to a shutdown or failure in a high-rise building, transportation system, food processing facility, energy grid or gas pipeline.
It’s also important to recognize that internal and external systems aren’t necessarily discrete entities in a connected world. Cybercriminals who steal passwords from an engineering firm may dig into classified files and eventually wind up with the information needed to break into a key piece of infrastructure. At that point, even the best security tools—firewalls, malware detection, endpoint security, end-to-end encryption, sandboxing and air-gapping (running critical infrastructure off a separate network)— are rendered useless. Unfortunately, credential theft—usually accomplished through social engineering methods such as phishing and spear-phishing—has become rampant. Various industry studies show that about 70 percent of today’s intrusions originate from stolen credentials.
Making matters worse, the nature of cybersecurity is changing. Only a few years ago, attacks were typically blatant and messy. It was entirely obvious that hackers had broken into a system and stolen data or caused damage. Today, cybercriminals often take a “slow” and “low” approach that involves stealthily lurking in systems and collecting data drip by drip over months or years, until they are ready to unleash a major attack or shut down a piece of key infrastructure. Last December a piece of malware dubbed “BlackEnergy” reportedly caused a massive power failure and was said to have spread through Microsoft Office macros. The same month, the U.S. Department of Homeland Security reported that intruders had broken in to systems at the Bowman Avenue Dam in Rye Brook, N.Y. (not just once but six times) and had accessed and read files, including usernames and passwords.
In 2014, officials in South Korea blamed North Korean hackers for breaching the computer system at a nuclear power plant. The event occurred just days after the now infamous hacking of Sony Picture Entertainment’s computer network, which may also have originated from hackers in North Korea. Other major infrastructure breaches have occurred all over the world. In 2001, a man hacked into a waste management system in Queensland, Australia, and released millions of gallons of raw sewage into local parks, rivers and even the grounds of a large hotel. Ten years ago, hackers broke into the main traffic control center in Los Angeles and reprogrammed traffic lights, causing massive congestion.
At the heart of the problem, says Jeff Pack, senior project manager at POWER Engineers, a firm that specializes in control systems for power facilities and food processing factories, is the growing number of exposure points that result from connected devices and systems. These vulnerabilities often multiply across systems and companies.
“As machines become more sophisticated and intelligent, and as they allow data to flow in and out, there is an increased risk of cyberthreats,” he says. “The problem today is that so many systems interconnect, and you cannot defend against everything. It’s impossible to build an impenetrable castle. You can’t lock down every device and system.”
Further complicating things, most legacy infrastructure and industrial control systems were built without today’s connectivity needs and robust security requirements in mind. In many cases, they rely on old versions of MS-DOS, and they lack robust authentication and other safeguards, including built-in data encryption—all of which make it much easier for intruders to compromise the system and control functions.
“A huge challenge for engineering firms is upgrading or updating infrastructure systems, including SCADA (supervisory control and data acquisition) systems, that operate in legacy environments,” says Richard Donohoe, director of the Security Risk and Resilience Group at Black & Veatch. “In many instances, it’s impossible to apply a patch, and many have hardcoded passwords that everyone knows. They are a huge security risk.”
About the American Council of Engineering Companies
The American Council of Engineering Companies (ACEC) is the voice of America’s engineering industry. Council members – numbering more than 5,000 firms representing more than 500,000 employees throughout the country – are engaged in a wide range of engineering works that propel the nation’s economy, and enhance and safeguard America’s quality of life. These works allow Americans to drink clean water, enjoy a healthy life, take advantage of new technologies, and travel safely and efficiently. The Council’s mission is to contribute to America’s prosperity and welfare by advancing the business interests of member firms.