Vulnerabilities in software that automates everything from factories to traffic lights has become the nation’s top cybersecurity threat, an agent on the FBI’s Denver Cyber Task Force said Thursday in Colorado Springs.
Supervisory control and data acquisition software is used to control — sometimes remotely — many types of devices in the energy, transportation, manufacturing and other industries and often is connected to sensors, valves, pumps, motors and other types of equipment to ensure safe operation, detect problems and maintain quality. The systems can be vulnerable to cyberattacks because they sometimes aren’t protected by sophisticated security systems since they aren’t accessible to or used by members of the public and usually are located in areas away from the public.
Dan Leyman, special agent in the Denver Cyber Task Force, said the industrial control software is the biggest threat for the FBI because it is used to control much of the nation’s critical infrastructure, ranging from dams and power grids to traffic control systems and waste water treatment plants. He made the comments during a panel discussion during a breakfast briefing at the Cheyenne Mountain Resort on cybersecurity by FedInsider.com, a Washington, D.C.-based website specializing in information and education about government management.
Most of the world’s high-profile cybersecurity incidents involve theft of consumers’ personal information from retailers, insurers and other businesses or so-called “ransomware” like the “WannaCry” attack that compromised more than 200,000 computers in 150 nations last month, Leyman said. But many cyberattack victims are reluctant to contact the FBI due to fears of bad publicity damaging the reputation of a business or government agency if reports of the attack become public, but the FBI is barred to publicly disclosing the victim or details of the attack, he said.
“Our goal is the identify and prosecute the bad guy. We need to find out who did what to whom. The biggest issue in getting victims to report incidents is fear of public disclosure. We aren’t allowed to do that. We can’t identify and prosecute the perpetrator unless we know about the incident,” Leyman said.
Source: Government Technology