The Association for the Capital Projects Engineering & Construction Community.

Cyber Security

May 24, 2012

By Chad Supan, Future Leader

You may stop this individual, but you can’t stop us all…
excerpt from The Hacker Manifesto
published by ‘The Mentor’, 1986

It’s a near certainty that if you are reading this blog you are familiar with the word hacker, a blanket name typically applied to any and all cyber criminals. But what about these terms? Zero-day attack, hacktivist, Stuxnet, spear-phishing, and the Night Dragon. These words and phrases are just a few from the lexicon of a new world of cyber crime, a world of sophisticated threats that put corporations, industries, projects, technology, and information constantly and increasingly at risk.

Speaking of risk, let’s review some potential entry points. If you are reading this blog post on a desktop computer, notebook, netbook, iAnything, tablet, or other internet enabled device, your device is at risk. If your device contains information about your company then that information is at risk. And if your device can connect to your company’s network or intranet, then technically your entire company is at risk.

According to Symantec, web-based attacks increased 93% from 2009 to 2010. Cyber crime is perpetrated by a variety of groups, including disgruntled employees, corporate espionage, terrorism, and government-sponsored organizations. Intellectual property, technology, customer relationship information, and competitive intelligence are all targets of these attacks. But as important as ‘the who?’ and ‘the what?’ is ‘the how?’ As the world becomes more integrated via the internet and “smart” systems, the risk increases dramatically. A connected, digitized world means that whole chunks of the infrastructure are at risk – the power grid, oil and gas pipelines, refinery and chemical plants, and SCADA systems controlling large networks of facilities.

The attacks have grown more sophisticated and complex as well. Rather than simple viruses designed to erase data, corporations are now experiencing progressive assaults in which malware operates silently for months at a time, collecting and sending data on specific operations. Armed with this information, attackers could conceivably decrease productivity, disable, or remotely control specific equipment or software. This threat is of particular note to the projects industry, where increasing connectivity of design and construction management systems bridges the gap between the physical and digital worlds. Imagine an attacker with the ability to control a valve on an offshore oil platform, or the control system of a refinery.

In the past year, several high-profile entities have come under attack. Google, Lockheed Martin, the International Monetary Fund, and the Oil Ministry of Iran were each specifically targeted and infiltrated with varying effects. Shell recently acknowledged that it remains consistently threatened, including attempts to steal technology from its research and development activities, but also to gain control of specific operation systems. In the case of Iran, a virus called ‘Viper’ corrupted all of the data on Oil Ministry computers and shut down key oil export terminals (the US and Israeli governments are the primary suspects for this attack).

How is the corporate world reacting to these threats? According to the leading security companies, such as McAfee and Symantec, we are not ready for attacks of these kinds. A research survey by Carnegie Mellon University’s CyLab found that “boards and senior management still are not exercising appropriate governance over the privacy of their digital assets.” Most companies have already been infiltrated in some form, and unfortunately most companies do not act until a major breach with financial repercussions occurs or a peer company is breached. Establishing best practices for prevention is difficult, however, as the vulnerabilities and threats increase at a faster rate than that of security measures. But one thing is clear – the responsibility for prevention falls to both the corporation and its employees.

So it appears that in 1986, ‘The Mentor’ was correct. The threat of cyber crime has advanced past individual hackers to a place where complicated attacks target both specific systems and enterprise assets. And we can’t stop them all, but as an industry we can work diligently to improve our ability to anticipate, prevent, and mitigate cyber attacks.

For more information on what’s at risk and how to protect it, join us in the Cyber Security…We are Under Attack! forum session at the 44th Annual Engineering and Construction Contracting Conference.