The Vulnerability of Cyber Attacks on the Financial and the Energy Sectors - Thesis Proposal Example

Cyber Attack Introduction All over the world, the IT based industries are facing the threat of cyber attacks and due to present scenario of operation all enterprises have adopted the IT integrated processes in their business operations. The IT based technology has become the backbone of every business enterprise and thus they became more exposed to the cyber attacks. Due to the increasing rate of cyber crime all over the world, the Governments of every country are feeling the threat of cyber attack. The loss and misuse of important confidential data is the major concern for the Governments and they are constantly feeling the threat of cyber attack from the different terrorist cells. We focus our discussion on the vulnerability of these cyber attacks on the financial and the energy sectors. In that context, a Russian official once commented in an interview that if there is any attack on the national targets like the transportation or the electricity distribution then that will have a much more bitter consequence than the use of weapon on mass destruction. (Tenet, 1998) In 1996, in a military publication a Chinese General commented on three vulnerable ways of cyber attacks on their enemies. According to him, they can disrupt the command centers of their enemies by changing the data systems, they can force the enemies to make misjudgments by sending disinformation and they can even dominate the banking system and entire social order by performing cyber attacks on their enemies.(Serabian, 2000) The main way of attack in the cyber attack is through E-mails, as it is the most common mode of communication in present world. The spam attack is the most common way of cyber attack through E-mails. These types of attacks are mainly done to disrupt the proceedings of large enterprises and Governmental departments. The global connectivity of the corporate and the susceptibility of the network infrastructure are the major source of attraction of the cyber crimes. The management authorities of many companies lack the potential of determining the exact cyber risk to which the company is exposed and hence, fall under the trap of cyber attack. The companies and the governmental departments are assembling legal firewalls and latest anti-virus programs to reduce the chances of cyber attacks but they are still not fully protected. The higher officials of different organizations are constantly working on increasing their knowledge on cyber laws and the attacks, so that they can take proper initiatives in controlling the attacks. They can not afford to risk their security of operational and financial proceedings on the hands of cyber predators. (Carafano, 2009; Leggiere, 2009; CDWG, 2009, pp. 5-10; McCarter, 2009) In the recent years, all companies despite their sizes has started to control their operational proceedings with the help of internet and various computer programs making the companies more exposed to the cyber world. We focus our discussion mainly on the financial sector and the energy sector and how they are exposed to the risks of the cyber attacks. The financial sector of any country is the support system for their steady economic growth and is very important for transaction within or outside the economy. The financial sector in an economy comprises of the central bank, commercial banks, financial institutions, etc. and they all conduct their business operations through the internet and hence, get globally exposed to the cyber attacks. Their dependence on IT based technology and over exposure to cyber world needs very strict security measures to get protected from cyber attacks. As their operations are mainly internet oriented hence, a cyber attack can cause heavy damage to the financial sector and eventually destroy the progress in the economy. Hence, there is lot of concern shown from the Government and the management authorities on the security structure of the financial sector in every economy to stay protected from cyber attacks. In case of energy sector, the operations do not have extensive use of cyber world like that of the financial sectors but still some major areas of energy sector operate through internet. Like the Electric authority has shown the cause of concern of extensive use of software and information technology. Hence, it is quite clear that both the sectors will be heavily affected by the cyber attacks. (Decay, 2004, pp.10-18; Larence & Powner, 2007, pp.14-25) We further illustrate our discussion on cyber attack and see what effect it lay on the financial and energy sector and how the consequences can be dealt. Literature Review In association with the cyber attacks, there are already some researches that had been commenced. We gather some specific information from them and incorporate in our research to get the end results. We use the informations from the researches of Heritage Foundation, Rand Corporation, Hoover institution at Stanford University and the Government Accountability Offices. We also use the informations from the Energy Departments, Federal Reserve, Homeland Security, Federal Bureau of Investigation, cyber crime report of Symantec and the National Terror Alert Response Center. From these sources we use the information of cyber attacks in recent past and the consequences of those attacks. We also gather information on the impact of these attacks on the economy with respect to the sectors under discussion. We extend our research to understand the effect of cyber attacks on the corporate professionals like the CEOs and the Managing Directors and how they deal with it. To understand the security techniques against such kind of attacks, we use the journals from the Homeland Security Affairs, Washington Quarterly, International Security, Journal of Conflict Resolution, the Counter Terrorist Magazine and journals on Emergency Management. We also use reports of Financial and Banking Infrastructure Information Committee (FBIIC), Department of Homeland Security (DHS), Financial Services Sector Coordinating Council (FSSCC) and the Institute for Security Technology Studies (ISTC) for our further analysis of the subject. We came to know the fact from these reports that there has been an attempt going on all over the world to mend a full proof security system which could provide the necessary protection from every cyber attack. In the previous researches the focus in mainly on the impacts of cyber attacks on the various sectors and their security systems, but we use our research to find the impact of the cyber attack on the CEOs and the Management authorities of various sectors, especially the financial and energy sectors. Financial sector and its vulnerability to cyber attacks The financial sector is highly vulnerable to the cyber attacks as this sector is hugely dependent on the IT based technologies for their business operations. The financial sector is considered as the backbone of the economy and thus, the risk is higher for this sector as it serves as the prime target of the cyber attacks. The financial sector is closely related to the operations of other sectors. Hence, if there is any attack on the financial sector then that will surely effect the operations of other related sector and will provide direct threat to the progress of the economy. The financial system is mainly comprised of the banking system and that provides funding source to all individuals and business organization. Hence, the cyber attack on banking sector will lead to the failure of banks in proper funding to the business organization which will result in halt of operation and productivity in the business organization. The seriousness of this matter made the management officials of the banks and other financial institutions to regularly scrutinize the security systems and immediately rectify the faults if found. The financial market also comprises the stock market which is very sensitive to any incident and directly results in the price fluctuations. The result of increase or decrease in share price directly or indirectly affects every individual living in the economy. The modern terrorist activities are quite related to the cyber attacks and are trying to hamper the economic growth of the developed countries. (Hender & Henry, 2007, pp. 30-35) There are lots of recent reports on cyber attacks where the domain name addresses had been stolen disrupting the regular business activities. There are also cases when the domain name addresses had been stolen and in return the criminals had demanded extortion money. There are several financial institutions in Europe who are under the threat of cyber attacks by groups of cyber criminals, who needs extortion amounts to let them free from the attack. The loss of important and confidential business data owing to the cyber attack has become regular news item in recent years. The banks are also facing troubles in providing security to their customers in case of cyber attacks as there are professional hackers who are unlocking the security system and transferring from bank accounts. (BNAC, 2007, pp.4-11; Cyber Security Program, 2008, pp. 2-7) Energy sector and its vulnerability to cyber attacks In the energy sector they use the system of smart grids and due to that this sector is exposed to the risk of cyber attack. The electric energy sector has shown concern over the matter and focusing on the protection of the sector against the cyber attacks because of its extensive use of IT based technologies and software in operations. To act in accordance with the American Recovery and Reinvestment Act 2009, the system of smart grids is incorporated in the operations in energy sectors like, electricity generations to get better service output. The information technology and other software services provide support to the smart grid systems to increase the reliability and efficiency in generating electricity and distributing it at large scale. The smart grid system had improved the efficiency factor of operation in energy sector and also helped in reducing the unnecessary loss of energy. The smart grid system has enabled the energy sector to increase the security of the sector against the cyber attacks and also helped in reducing the risk of operational failure. Although, the smart grid systems provide security against the usual low profile cyber attacks but with the new innovative techniques of cyber attack, this system also became vulnerable with the passage of time. (Hoffman, 2009, pp. 1-5; Gorman, 2009; Security Industry, 2009) In the recent past, there are two more systems has been incorporated in the energy sector to measure the force of the cyber attacks and also as an implication tool after the attack to rectify the flaws. These systems are the modeling and simulation system which are providing some assistance at present to combat the cyber attacks on energy sectors. The energy sector like the financial sector is also correlated to other sectors like the industrial sector, telecom sector and even with the financial sector. This is because every sector for their operations requires the use of energy and hence, eventually gets connected to the energy sector. Thus, cyber attack on energy sector will have direct and indirect effect on all sectors under the economy. In this respect we can say that the financial sector and the energy sector are interrelated. The cyber attack on energy sector will result in the break down of the distribution system and as a consequence of the attack every sector will incur huge losses in production. The major concern in this case is that, due to the power failure the national security system will get affected and might break down. (NSTB, 2008, pp. 21-26; Kaplan, 2008; Wilson, 2003, pp. 8-13) Tentative solutions In case of financial sectors, there should be proper steps of security taken by the Managing officials to protect their corporate from cyber attacks. For that, proper electronic security is essential some security measures should be implemented. Like, the legal authorities like the Federal Reserves, OCC, SEC, etc should built a proper legal framework by regulating issues on these types of cyber crimes and create a protective atmosphere against the cyber attacks. Then, the electronic security system should be implemented in case of payments and other transactions, so that there is no attack on the transaction systems. May be the secured network and use of 128 bits of encryption will be more effective to avoid the attackers. The Managerial bodies can also secure the corporate sectors by insuring the physical assets which would reduce both financial and operational risk factors and the responsibility of loss will be incurred on the insurance company in case of cyber attack. To implement these measures the companies should be given some power by the regulatory bodies and they should have close look on the usage of those powers. In case of financial transactions, there are numerous participatory bodies and hence, maintaining a certification system in transaction and verifying every participant can be a very good step to control the risk of cyber attack. In the financial sector to get proper security against the cyber attacks, the accuracy of information and its distribution system should be enhanced. The threat of cyber attacks can be minimized if proper awareness program is implemented so that, every individual gets aware of the happenings and can gain the knowledge of how to deal with the cyber crimes. (Olson, 2003, 2004; Symantec Report, September09, pp. 16-17) In case of Energy sectors, the risk identification of the controlling systems were done by the vendors and to improve the relation between various departments of energy sector, the security in the communication system of the control systems and the field devices should be increased. The security systems of the Energy sectors can be easily assessed by the operators of the energy sectors using assigned tools and methods and with proper training program they can also detect the cyber attacks and prevent them from penetrating the security systems. There are already some measures taken in this aspect in US, the Department of Homeland Security and Natural Resources-Canada is using the security control system’s map to show the operators of the Energy sectors like, oil, gas and electricity, how the systems operate. There also different national labs who are trying very hard to develop a modern efficient system to enhance the security of the Energy and other sectors. They are trying to build an effective firewall to prevent the cyber attacks and leakage of confidential information. Sandia National Laboratories has developed the ANTFARM (Advanced Network Toolkit for Assessments and Remote Mapping) that helps in the proper visualization the network of the control systems. There is a huge amount of money being sanctioned under the American Recovery and Reinvestment Act 2009, to fight the cyber attacks on Energy sectors for modernization of the grid system. (Hoffman, 2009, pp. 1-5; Mohajerani, Farzan,Jafari,Lu,Wei,Kalenchits, Boyer& Muller, n.d,pp.1-3 ) In this context, it is a known fact that the coordinate systems of the Internet used to work under private effort and the functions of security and operations are also handled by them. However, there is no single group who is handed the complete security management of Internet, the Internet Corporation for Assigned Names and Numbers (ICANN) along with several committees and Internet Engineering Task Force (IETF) gives the necessary advices on the security aspects of Internet. The Managing Directors or the CEOs cannot hand over their responsibilities to the international bodies or the Government hence; they had to handle the risk management aspects in order to prevent the cyber attacks. For that, they should lift up their security systems to build a firewall against the cyber attacks. (BNAC, 2007, pp.4-11) Methodology We perform both qualitative as well as quantitative research based on both primary and secondary forms of research. In this case, our primary research will be based on the sampling methods, where we interview 50 high officials, including CEOs and Managing Directors about their experiences of cyber attacks and the consequences they faced after the attacks. To analyze the impact of cyber attack on the corporate sectors like the financial sector and the energy sector to see the vulnerability aspect and to recommend some effective measures, we shall incorporate the feedbacks of our research and use modeling and simulation techniques for further analysis. In such processes of simulation and modeling, a system is considered to have an entity and it exists by interacting with its various parts. For better understanding of the system it is simplified and represented in form of a model and the model is justified as good or bad according to its understandability. As stated, all models are thus simplified forms of systems and they are accepted according to the extent of details that are incorporated in the models. If there is very little details incorporated then, a model lacks its effectiveness and can miss relevant interactions. This type of model then become very irrelevant in promoting the actual concept of the system and hence is not acceptable. Similarly, a model also becomes irrelevant and unacceptable if it has incorporated huge amount of detailing. A model with huge amount of detailing becomes very complicated and hard to understand and hence, not accepted. So, the technique of modeling requires the proper balance of detailing so that it can represent the system in the simplest form to understand. Now, to incorporate a model on the present issue of discussion and perform the required analysis we have use the process of simulation. The process of simulation is the computerized edition of the same model and it helps to understand the implications of different interactions over certain time period. In the process of simulation, the development is iterative. After developing a specific model to study the interactions, it is been simulated and then implemented to get the desired results by understanding the interactions. Modeling and Simulation can be viewed as a form or art or a discipline by which a study can be conducted. The theoretical study and its practical application are two different things and both are complementary to each other. One can learn the art of riding a bicycle from a book but to ride a bicycle he had to engage himself with bicycle. Similarly, it is easy to learn about modeling and simulation from a book but to develop the technique of modeling and simulation needs skill and talent. It’s a process in which one understands the aspects as they work on the subject. We shall develop the required models as we proceed on the research issue and examine the topic of discussion. (Friedman, 2008; Freeman, Dynes & Golodner, 2005, pp. 2-7) In this context, the best solution is the process of encryption which can identify the information leaks by the clear text communication. However, implementation of the process of encryption is not always possible in control system networks. The process of encryption is not viable or applicable in case of troubleshooting or traffic monitoring and it is not always practical in certain sectoral environments. In case of providing protection to the control systems from cyber attacks, the processes of communication which are unsecured can be secured by using secure shells. Confidential and important file transfer and remote login protocols like, FTP, Telnet, rlogin, etc can be channelized through the secure shells in order to protect them from hacking. In case of communication and data transfer, the Secure Socket Layer (HTTPS) can be used instead of Hypertext Transfer Protocol (HTTP). In case of operations in financial and energy sectors the credentials of the users should be kept secret to stay protected from cyber attacks. When there is any communication with such credentials in text form then they are cracked by the hackers and the passwords are revealed to them. In this way, they become powerful and perform cyber attacks. (NSTB, 2008, pp. 26-28; Carafano, 2009; Symantec Report, 2009, pp. 4-5) Conclusion To combat the menace of cyber attacks only usage of security software is not the solution but the corporate should focus on building proper control system to protect the user credentials from the attackers. Phishing is a common process of hacking the confidential data from credit cards, user ids and their passwords and other social security numbers. In this kind of process, a duplicate website is created and then the inflow of data is redirected towards the duplicate site and then all the personal information and financial data are in the hands of cyber criminals. Hence, in case of financial and energy sectors, who are in charge of handling the operations should know the methods of handling such risks. The risk managers should properly analyze the threats and identify the leakages in the security systems which are providing spaces for the cyber attacks. These types of measures enable the companies to reduce the effect of these cyber attacks. Their should be immense responsibility given on the shoulders of the higher officials of the companies to primarily focus on this issue before it gets out of control. To reduce the vulnerability and increase the strength and effectiveness of the security systems, the companies should perform security audits in regular time interval. For this type of auditing, the third party audit system is preferable. (BNAC, 2007, pp.4-11) To mitigate the risks of these types of cyber attacks the higher officials of the companies should focus on the proper training of the operational personnel and reviewing the daily progress of mitigating threats. They should also implement training programs for the new technologies that are innovated day to day, so that their operational personnel are updated. The rate of cyber attacks are increasing on daily basis and hence, proper set up must be created by the companies to stay protected from the attacks. It is tough but still the companies should take proper steps to quantify and measure the consequence of such attacks. ( Moscaritolo , 2009) Proposed Thesis Outline In this proposed thesis, the analysis will be based on the strengths and weakness of the financial and energy sector with respect to their exposure to the cyber world. The analysis will help to find a proper solution to fight the menace and provide a policy framework to the officials of financial and energy sectors to protect the companies from cyber attacks. The aim of this research is to measure the vulnerability and risk factors that the financial and energy sector might face and how should they respond to the cyber attack. For that we shall use the modeling and simulation techniques to overview the situational aspects of cyber attacks at present and provide suitable measures for the Financial and Energy sectors to prevent and combat the cyber attacks. References 1. Decay, R, F, (2004) Information Security Agencies Face Challenges in Implementing Effective Software Patch Management Processes. United States General Accounting Office. Available at: http://www.gao.gov/new.items/d04816t.pdf (accessed on January 29, 2010) 2. Hender,G & Henry, E, W (2007) Banking and Finance Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan. Homeland Security and Department of Treasury. Available at: http://www.dhs.gov/xlibrary/assets/nipp-ssp-banking.pdf (accessed on January 29, 2010) 3. Hoffman, P (2009), For Electricity Delivery and Energy Reliability, US Department of Energy. Available at: http://www.congressional.energy.gov/documents/5-7-09_Final_Testimony_(Hoffman).pdf (accessed on January 29, 2010) 4. NSTB(2008), Common Cyber Security Vulnerabilities Observed in Control System Assessments by the INL NSTB Program, U.S. Department of Energy Office of Electricity Delivery and Energy Reliability. Available at: http://www.oe.energy.gov/DocumentsandMedia/31-2008_INL_Common_Vulnerabilities_Report.pdf (accessed on January 29, 2010) 5. Kaplan, D (2008), Attack code released for SCADA software vulnerability, SC Magazine. Available at: http://www.scmagazineus.com/attack-code-released-for-scada-software-vulnerability/article/116387/ (accessed on January 29, 2010) 6. Carafano, J, J (2009), Carafano: Oh Canada! Quelling cybersecurity threats, The Washington Times, LLC. Available at: http://www.washingtontimes.com/news/2009/dec/10/oh-canada-quelling-cybersecurity-threats/ (accessed on January 29, 2010) 7. BNAC, (2007) Cyber attack: A risk management primer for CEOs and Directors. The Atlantic Council of the United States British-North American Research Association, UK. Available at: http://www.acus.org/docs/071212_Cyber_Attack_Report.pdf (accessed on January 29, 2010) 8. Friedman , G, H, (2008) Audit Report on "The Departments Cyber Security Incident Management Program, U.S. Department of Energy Office of Inspector General Office of Audit Services. Available at: http://www.ig.energy.gov/images/IG-0787.pdf (accessed on January 29, 2010) 9. Olson, M, W, (2003) Oversight and Investigations of the Committee on Financial Services, U.S. House of Representatives, The Federal Reserve Board. Available at: http://www.federalreserve.gov/boarddocs/testimony/2003/20031020/default.htm (accessed on January 29, 2010) 10. Olson, M, W, (2004) Protecting the financial infrastructure, The Federal Reserve Board. Available at: http://www.federalreserve.gov/boarddocs/testimony/2004/20040908/default.htm (accessed on January 29, 2010) 11. Moscaritolo, A, (2009) Serious vulnerability in SSL discovered , SC Magazine, Available at: http://www.scmagazineus.com/serious-vulnerability-in-ssl-discovered/article/157173/ (accessed on January 29, 2010) 12. Gorman, S, (2009), Electricity Grid in U.S. Penetrated By Spies, The Wall Street Journal. Available at: http://online.wsj.com/article/SB123914805204099085.html (accessed on January 29, 2010) 13. Security Industry, (2009) Smart grids may be prone to cyberattacks, UPI.COM. Available at: http://www.upi.com/Business_News/Security-Industry/2009/12/08/Smart-grids-may-be-prone-to-cyberattacks/UPI-30271260314731/ (accessed on January 29, 2010) 14. McCarter, M, (2009) 5-Year-Old Cybersecurity Plans Inadequate, Homeland Security Today. Available at: http://www.hstoday.us/index2.php?option=com_content&do_pdf=1&id=11101 (accessed on January 29, 2010) 15. Leggiere, P, (2009). Government IT Vulnerabilities Persist, Homeland Security Today. Available at: http://www.hstoday.us/index2.php?option=com_content&do_pdf=1&id=11087 (accessed on January 29, 2010) 16. Larence, E,R & Powner, D, A (2007) CRITICAL INFRASTRUCTURE Challenges Remain in Protecting Key Sectors, United States Government Accountability Office . Available at: http://www.gao.gov/new.items/d07626t.pdf (accessed on January 29, 2010) 17. CDWG, (2009) Federal Cybersecurity Report: Danger on the Front Lines, CDW Government, Inc. Available at: http://webobjects.cdw.com/webobjects/media/pdf/Newsroom/2009-CDWG-Federal-Cybersecurity-Report-1109.pdf (accessed on January 29, 2010) 18. Mohajerani, Z, Farzan, F,Jafari, M, Lu, Y, Wei, D, Kalenchits, N, Boyer, B, & Muller, M. (n.d) Cyber-related Risk Assessment and Critical Asset Identification within The Power Grid, Industrial Engineering Department Rutgers University Piscataway, NJ, USA, Automation and Control Department SIEMENS Corporate Research, Inc Princeton, NJ, USA, Mechanical Engineering Department Rutgers University Piscataway, NJ, USA . Available at: http://cimic.rutgers.edu/positionPapers/CPS_SCR_AC_2_IEEE.pdf (accessed on January 29, 2010) 19. Wilson, C (2003), Computer Attack and Cyber Terrorism: Vulnerabilities and Policy Issues for Congress , CRS Report for Congress. Available at: http://www.fas.org/irp/crs/RL32114.pdf (accessed on January 29, 2010) 20. Freeman,M , Dynes,S & Golodner, A (2005) The Known Unknowns of Cyber Security and Cyber Terrorism, Available at: http://www.ists.dartmouth.edu/library/119.pdf (accessed on January 29, 2010) 21. Cyber Security Program (2008), Anti-Phishing AwarenessPhishing AwarenessBrown Bag PresentationBrown Bag Presentation, Department of EnergyDepartment of Energy,US. Available at: http://www.cio.energy.gov/images/OCIO_Phishing_Presentation.pdf (accessed on January 29, 2010) 22. Symantec Report (2009, June), Symantec Report on Rogue Security Software, White Paper: Symantec Enterprise Security. Available at: http://eval.symantec.com/mktginfo/enterprise/white_papers/b-symc_report_on_rogue_security_software_WP_20100385.en-us.pdf (accessed on January 29, 2010) 23. Symantec Report (2009, September) Symantec Intelligence Quarterly, Symantec Intelligence Quarterly. Available at: http://eval.symantec.com/mktginfo/enterprise/other_resources/b-symc_intelligence_quarterly_july-sept_2009_20666025.en-us.pdf (accessed on January 29, 2010) 24. Fossi, M & Johnson,E (2009, April) Symantec Global Internet Security Threat Report, White Paper: Symantec Enterprise Security. Available at: http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiv_04-2009.en-us.pdf (accessed on January 29, 2010) 25. Serabian, J.A (2000, February), Cyber Threats and the US Economy, Central Intelligence Agency (CIA). Available at: https://www.cia.gov/news-information/speeches-testimony/2000/cyberthreats_022300.html (accessed on February 1, 2010) 26. Tenet, G. (1998) DCI Before the Senate Select Comittee on Government Affairs, CIA, available at: https://www.cia.gov/news-information/speeches-testimony/1998/dci_testimony_062498.html (accessed on February 4, 2010) Read More