Experts: Recent Critical Infrastructure Attacks A Sign Of Major Security Challenges Coming In 2016

Hackers rang in the new year with a slew of critical infrastructure attacks, a trend that partners and security experts said points to a tough year ahead for critical infrastructure security.

Within the past few weeks, reports have emerged of two successful critical infrastructure attacks. The first, widely attributed to a Russian hacker group called Sandworm, caused a power outage Dec. 23 for hours in a region of Ukraine. A virus, dubbed "Black Energy," infiltrated the region’s power grid, likely through spear phishing, and disconnected the electrical stations, security researchers at iSight said. ESET elaborating on the findings, discovering the virus in multiple electrical stations across the country.

In the U.S., the Wall Street Journal reported in late December that Iranian hackers had infiltrated a New York dam control system not too far from New York City. The hack occurred two years ago and is still classified, the report said.

[Related: The 10 Biggest Data Breaches Of 2015]

The probability of a major critical infrastructure attack was one of the most popular predictions by security experts going into 2016.

"I don't want to scare people, but the vulnerabilities and the ease at which you can target critical infrastructure is increasing. … The risk [of an attack in 2016] is significant, I believe,’ said Raj Samani, Intel Security EMEA chief technology officer.

The challenge for many critical infrastructure providers, said J.J. Thompson, CEO of Rook Security, an Indianapolis-based managed security service provider who works on some critical infrastructure projects, is that the same engineers and technical staff trained to fix pumps and switches are now the same ones charged with overseeing new digital, connected technology. The employees are doing the best they can with the training they have, he said, but the skill gap poses a serious security problem.

On top of that, Thompson said, there is a "Catch 22," in that public utility and other critical infrastructure companies don't always want to admit that they aren't secure, but they often have to in order to get the funding needed from regulatory commissions to upgrade their systems. That leaves the readiness level of much critical infrastructure relatively unknown, he said.

However, the vulnerabilities "clearly exist," said Samani, and the impacts are significant. Hackers targeting critical infrastructure aren’t usually doing it for financial means, he said, which can make the outcome much more serious than in a typical data breach.

For partners, navigating those tricky waters can present a large opportunity, Thompson said. He said Rook Security has invested "a lot of money" into research and development around the space over the past year, expecting to roll out some new solutions in the coming months.

"We think there's [a lot of opportunity]," Thompson said. "We're going to continue to over-invest in it because we believe there's significant opportunity for improvement with minimal effort and minimal spend on the utility side."

"How this next year evolves will be very telling," he said.

PUBLISHED JAN. 16, 2015