Archives

Those incendiary words are courtesy of a recent Pike Research (now called Navigant Research) study.  Bottom line: It suggests that a dirt cheap smartphone app could wirelessly communicate with a targeted command-and-control computer system — one that utilities rely upon — to cause unimaginable havoc.

What kind of catastrophe are we talking about?  Some U.S. officials foresee cyber-attacks that could take down a utility servicing millions of people and render them powerless. For months.

The way PG&E’s Chief Information Security Officer James Sample, sees it, “We will see catastrophic outages.  We are dealing with a very intelligent adversary.”

But despite the doomsday warnings, have utility companies stepped up their security measures?  Not according to many security specialists.

Why not? Looking at the issue from a purely monetary standpoint, some estimates for upgrading utility security could cost upwards of $14 billion. But from a preparedness standpoint, are utilities in a serious state of denial about the realities and potential impact of cyber-terrorism?

Some vocal critics say yes. Consider what Dale Peterson, CEO of Digital Bond, a firm that evaluates the security posture of utilities and other companies, told the San Jose Mercury News: “[Utilities] just want to kind of pretend the problem doesn’t exist.  So it might take some really tragic thing with some huge disruption of peoples’ lives before something gets done.”

So how many wake-up calls are needed to compel utilities to step up their security act?  The U.S. Department of Homeland Security has already reported infiltrations of oil and natural gas pipelines and electric power organizations.  Out of 198 cyber-incidents reported, 41% targeted energy companies, 15% were aimed at water-related firms and six included the “nuclear sector”.  Yes, it is that scary.

The California Public Utilities Commission warns that utilities are increasingly vulnerable by way of smart meters and the smart grid.  The same CPUC study reports: “(Eighty) to 90 percent or more of the electric infrastructure currently does not fall under any required standards and that cyber-security practices of the utilities are not monitored.”

If this doesn’t scare the hell out of you, consider the sobering findings from a survey conducted by risk management specialists nCircle who asked 104 energy security professionals if their smart meter installations were adequately protected from hackers, 61% said, “No.”

As content specialists in security, Write Angle would like to hear why security companies aren’t making more noise about the vulnerability of utilities.  We’d love to hear from you.

It’s an interesting question we were asked to address in developing a recent white paper on behalf of our client AppSense .

While first-generation solutions to the BYOD problem have focused on locking down personal and corporate-owned devices, it’s become increasingly clear that IT departments have been mostly unprepared for the explosion of mobile computing and the avalanche of apps coinciding with the mobile revolution.

Recent studies estimate that 200 million workers are using mobile apps for business today. This strongly suggests that the consumer mobile experience has paved the way for the mobile workforce not only to expect, but demand access to data and apps from anywhere.

What does this all mean in the grand scheme of things?  Forward-looking organizations are moving from a lock-down approach to providing users access to apps and data they demand and require, anytime and anywhere.

AppSense dubs this new approach “BYOX” –  providing security and control anywhere they’re needed, regardless of device, without adversely affecting the user experience.

Check out our “nine big ideas” that will be instrumental in driving the next generation of mobility management solutions.

© Elnur

Our security client Fortinet asked us to compose a bylined thought-leadership piece on why cybercrime continues to be big business.  Appearing in Forbes , the article takes an unflinching look at why cybercrime is growing in  magnitude and sophistication.  The two driving factors are the consumerization of crimeware and the adoption of best business practices by crime syndicates worldwide.

Perhaps most alarming is the fact that crime syndicates are using an “enterprise-class” approach to growing their business.  The structure of these syndicates, in many respects, mirrors the hierarchies of big organizations right down to the executive suite, middle management and the rank and file.

When you couple the growing organizational sophistication of crime syndicates with the explosion in cloud computing, social networking, BYOD and mobile communications, cybercriminals have an unprecedented smorgasbord of attack vectors to choose from.

And like most well managed for-profit enterprises, crime syndicates maintain extensive R&D organizations.  Custom-order code to produce private botnets, fake anti-virus software and previously unseen deployment systems are just a handful of new schemes being developed in off-the-grid labs.

But the similarities syndicates share with the corporate world don’t end there.  Taking a page out of Wall Street, crime syndicates are actively engaging in mergers and acquisitions to grow their botnets through the use of another organization’s best practices.

Blurring the lines of best practices even further, we’re now seeing creative profit-sharing flair as crime syndicates grow sophisticated, pay-per-click/install/purchase affiliate programs.  Up and coming cybercriminal affiliates are now being rewarded on a performance-based pay scale.

So what’s to be done about all of this?  Clearly, working groups and task forces are essential to stem the tide.  But despite some high profile take-downs, these efforts are a drop in the bucket.

The bottom line is that global participation is a necessity.  International bodies that can mediate disputes and dispatch resources to share information about cybercrime trends are mandatory.  In addition, the Achilles heel of cybercrime needs to be attacked — and that means going after the cash flow.  Affiliate programs need to be targeted because they’re the cash cows that pay out commissions and rewards to the “infantry” that carry out malicious attacks.  Dry up the well and the rest of food chain withers.

Of course, there is no practical substitute for implementing a highly layered security strategy, assessing potential security flaws on a regular basis, and educating users about security best practices while having incident response plans and enforceable policy mechanisms in place.

What do you think? Can cybercrime ever be contained? What needs to happen to enable a lower incidence of “incidents”? What can the private and public sectors do, separately and in tandem, to make it harder for bad guys to ply their trade?