Vulnerabilities in the Energy and Financial Sector - Research Paper Example

 The U.S. is under thousands of cyber attacks daily from Russia, China and non-affiliated hackers (Mann, 2010). The cyber attack could be the next “Pearl Harbor” that country experiences. If cyber attacks are targeted at the country’s grid, it could literally cripple the country because the focus of the cyber criminals is on critical infrastructure such as energy, pharmaceutical and government assets rather than on organizations (ScanSafe, 2009). ScanSafe, the pioneer and leading provider of SaaS Web Security, found that organizations that have the most valuable intelligent data encounter web malware more frequently than other verticals. The verticals most at risk are Energy & Oil sectors with a 356% greater rate of direct encounters with data theft Trojans and the Banking & Finance sector with a 204% greater rate. The intention of the criminals is not just to steal credit card data or identity theft. They want to cast a much wider net which has resulted in an average enterprise experiencing 19 encounters per day by the end of 2009 against 8 malware encounters per day at the start of the year. Sophisticated malware threats like Stuxnet have raised concerns whether the power grid can withstand targeted cyberattacks (Vijayan, 2010). Stuxnet can steal industrial data from supervisory control. Hackers can actually create codes through Stuxnet and then take over the critical systems (Baldor, 2010). This software program can exploit vulnerabilities in the SCADA system, the system which controls the critical equipment at power companies. Trojan, another malware, can also sabotage the SCADA system just as Stuxnet does. The SmartGrid is vulnerable to multiple common attack techniques and leaving it unsecured can lead to heavy damages. It has the ability to create a worm that enables the attacker full control of the exposed devices (IOActive, 2009). Meters can become non-functional and the customers can be disconnected. It not only damages the reputation of the utility but recovery is time consuming and costly. While the security holes enable the criminals to redirect power delivery and steal data, these occur because of a failure to install software security or due to poor password management (Gorman, 2010). Siemens AG, the German engineering firm, had detected an attack targeting critical infra-structure, which includes the electric grids, subways and air-traffic control. The security gaps include "well-known unsecure coding practices" and it permits an excessive number of portals access into the networks. The vulnerability increases due to poor coding, and bugs in the code also make it fragile and unstable. Moreover, Siemens had advised the customers not to change the preset passwords as passwords are the weakest links. Another security gap was the lack of sufficient encryption for communications lines used by the computer networks. In addition, the databases that archive information could be easily accessed. What is worth noting is that these security gaps have been known to the security circles for years. In the financial sector, cyber attacks against individual online accounts have become so pervasive, that American Bankers Association (ABA) is seeking consumer partnership to control the cyber attacks (Acohido, 2010). Computer crooks have been accessing online bank accounts across towns, cities, counties and municipalities in America (Mann, 2010). They have recently stolen $100,000 from Summit, a small town of 10,000 outside Chicago, and an equal amount from the New Jersey township of Egg Harbor, to cite a few instances. In 2003, the country had been warned of attack on the global financial system (Butters, 2003). The Director of the Program on Terrorism and Trans-National Crime had warned that attacks would focus on key nodes in the U.S. financial infrastructure: Fedwire (the financial funds transfer system that exchanges money among U.S. banks) and Fednet (the electronic network that handles the transactions). It is very easy to locate the backups of the system and the entire global economy can come to a halt if CHIPS and SWIFT were included. In 2009, banking Trojan, a malicious software program meant to pilfer bank accounts rose to over 65,000 while it was just a little over 4,000 at the start of the year (Acohido, 2010). The threat level also went up in 2009 (2.58) from 2007 (1.84). Studies have shown that more than 35% of Trojan attacks in 2005 were targeted at the financial and the banking sector (FBI, 2006). Financial institutions that issue debit and credit cards are the biggest cyber targets. The criminals first learn the banking platform and the mode of operation is to collect data through the browsers. They purchase the consumer data and the login data and then access the credit lines while also making note of the high cash balances (Acohido, 2010). Through the web browser they are able to obtain the coding security holes as the browsers do not support secure financial transactions. The banking Trojans are so tailored by these criminals that they inject software code into the browsers, thereby enabling the attacker to take control of the online accounts. They can even alter the balances visible to the accountholder and quietly make stealthy transactions. The online banking system is a generation behind the techniques employed by the cyber criminals. Another technique used by the criminals to gather data is phishing. Avalanche, a criminal entity was responsible for 66% of all phishing attacks launched that took place in the second half of 2009. It targeted more than 40 major financial institutions, online services and job search providers. This malware has been specially designed to automate identity theft and facilitate unauthorized transactions from customer accounts (Aaron & Rasmussen, 2010). Avalanche was first detected in 2008 but since the end of 2009 its activities have significantly reduced. A typical Avalanche phishing lure email is shown in figure 4.1: Figure 4.1 (Source: Aaron & Rasmussen, 2010). Such lures are sent to potential victims offering popular software upgrades, file sharing services, and downloadable forms from tax authorities. The moment the customer gives in and accesses such mail, all the information is immediately passed on to the criminals. They then intercept the password and access online bank accounts. The criminals can even log on to the bank accounts through the victim’s machine and this becomes difficult for the bank to detect as fraud. This combination of phishing and malware can be disastrous but since phishing is concentrated in certain internet namespaces, it offers opportunities for mitigation. Symantec has discovered a phishing site spoofing a credit union which provides financial services to members of the Army, Marine Corps, Navy and Air Force and their family members (Tuutti, 2010). The phishing site prompts the customer’s to fill in a form to log in because the log in has been locked due to several failed login attempts. In the process they collect all personal details such as Social Security number, credit card details, date of birth, mother’s maiden name, and details of the account’s joint owner. As soon as the information is typed in, the customer is directed to the legitimate site. Another mode of operation is to inform the customer that the bank’s site was experiencing technical difficulties and that the customer should try later (Krebonsecurity, 2010). In the meantime, the crooks collect all personal data and transfer funds through wire transfer or in batches to individuals across the country. When transfer of tax revenue was attempted in the Village of Summit, the Bridgeview bank could detect the fraudulent wire transfer and stop it but the rest of it in batches (through Automated Clearing House) had already been transferred. Thus, with multiple techniques used by the criminals, the economic impact of cyber crime can have far reaching consequences. Economical impact of cyber attack The economical impact of cyber attacks is felt by the private and the public sector alike. The macroeconomic costs can only be speculative as there are no standard methodologies to measure the costs and the probabilities of cyber attacks. The impact is felt by the target firms on the stock prices, in addition to the costs incurred in developing security measures and in restoring the services. Overall, it is very difficult to measure and quantify the economic impact of cyber attack (Cashell, Jackson, Jickling & Webel, 2004). Costs may be intangible and may contain innumerable contingencies. A cyber attack could be more than a weapon of mass nuisance. It can lead to massive economic harm and has cost the nation $3 billion in damages following the September 11, 2001 attacks (McGavran, 2009). President Obama has admitted that the nation’s economic prosperity in the 21st century would depend upon cyber security (Jensen, 2010). In 2008 alone, the U.S. lost approximately $1 trillion through cyber attacks. The cost of downtime from major attacks to critical infrastructure exceeds $6 million per day. A survey of 170 US banks in 2009 revealed that big banks have to incur losses stemming from cyber attacks on consumer accounts (Acohido, 2010). First Annual Cost of Cyber Crime Study found that cyber crimes have cost each of the 45 U.S. organizations under the study, $3.8 million per year on an average due to the Web attacks, malicious codes and rogue insiders (Messmer, 2010). While some may have spent $1 million per year, others have spent as much as $52 million per year. This does not include the investment in software but only the direct cost of coping with cyber attacks. It takes about 14 days on an average to respond to a successful cyberattack. The study also found that malicious insider attacks can take up to 42 days or more to resolve. The cost to an organization could be as much as $17, 696 per day. These findings are based on a study of 45 organizations and the overall impact on the economy could be much higher. The expenses are much higher in the energy, financial and the defense sector than the retail, services and the education sector. In the manufacturing sector production changes occur due to internet outage. This impacts order-fulfillment as orders are electronically received and fulfilled (Dynes, Andrijcic & Johnson. 2006). The cyber event at oil refineries, however, is not an internet outage event but a SCADA event. Dynes, Andrijcic and Johnson (2006) conducted a field study at an oil refinery and found that production dips suddenly as an impact of SCADA safety system as shown in Figure 7.1 Figure 7.1 (Source: Dynes, Andrijcic & Johnson, 2006). The oil refinery runs at a reduced rate for about a day and then moves on to a warm shut down state from which it can quickly restart. The 3-day SCADA event results in a total economic loss of $96.79 million. The authors further state that if the unit is shut down for 10 days, the total loss would amount to $405 million. Figure 8.1 shows the estimates of the daily losses to the Gulf regional economy of a 10-day SCADA at an oil refinery. The refiner under this study represents approximately 10% of the total sector capacity nationwide. The direct losses are the economic losses to the firm. The indirect losses include the resultant loss due to reduced demand from suppliers and reduced sales by customers, amounting to an integrated loss of $405 million. Figure 8.1 (Source: Dynes, Andrijcic & Johnson. 2006) Cyber attacks stretch beyond the commercial world and are often politically motivated. These politically motivated attacks are becoming more frequent and sustained (Jensen, 2010). The U.S. government computers and network are constantly under probe and the Department of Defense (DOD) has been granted funds to hire up to one thousand cyber security experts as it is estimated that more than 100 foreign intelligence organizations are trying to break into the U.S. systems, according to Jensen. To protect from the vulnerabilities, security measures can be expensive. The Homeland Security has deployed teams of experts across the country. They have a budget of $15 million for the next year as each team is armed with equipments and tools to download and analyze the problem malware (Baldor, 2010). Regular assessments, investigations and corrections of cyber incidents can be very costly for the nation. The economic costs determined by the organizations do not include the social costs associated with cyber crimes. These include the litigation expenses and the lost hours to redeem one’s name or credit information (Glaessner, Kellermann & McNevin, 2002). The financial service providers also incur losses due to denial-of-service attacks. Denial of service can cost a credit card authorization company $2.6 million an hour. The potential loss per hour from denial-of-service attack has been shown in TABLE CHART 9.1: Table Chart 9.1 (Source: Glaessner, Kellermann & McNevin, 2002). In addition, the cyber risks are not included in the traditional business insurance coverage. While it enhanced the business opportunity for the insurance companies, the total premium of such policies in 2002 was estimated between $60 million and $120 million (Cashell, Jackson, Jickling & Webel, 2004). This becomes a disincentive for firms to measure their risks from cyber attacks; they may also be reluctant to share information of cyber attacks. Cyber attacks also make a direct contribution to the production of goods and services. The effect on computers and their network could have a much larger impact as the electric supply could be disrupted, banks might be unable to transfer funds, e-payments of goods and services may be affected. Due to lack of data on frequency and severity of attacks, it is difficult to truly ascertain the economic impact of attacks. Thus, any estimate of the potential economic impact of cyber attack can only be speculative. Mitigation of cyber attacks from the financial and energy sector Even though it is difficult to ascertain the economic impact, efforts need to be made to mitigate the attacks. Cyber threats to the critical infrastructure are growing and they come from a variety of sources. The attackers have numerous techniques that can enhance the impact of the actions. GAO identifies significant deficiencies in the security control system (Wilshusen, 2010). Federal security can be improved and the key cyber security areas as identified by GAO are: In the U.S. power grid, many components are manufactured overseas and North America does not have the manufacturing capability. The electric utilities have hardly taken any steps to secure their power plants and the substations. NERC plans to identify the mitigation steps and the first step is to acknowledge that it is not possible to protect the system from coordinated attacks (Messmer, 2010a). The high voltage transmission lines run across miles and the preventive measures would require that the system operators must be able to recognize an attack and take immediate corrective steps. The standards are weak and require greater regulation without which the power grid could be down for months. One of the methods suggested was to appoint a security manager in power plant environments who could liaise with the government to communicate on serious security issues. Vendor support is essential to mitigate the cyber attacks. The ICS software has not been designed for security. The most important factor is to improve the security of the ICSs (Industrial Control Systems) used in the critical energy infrastructure installations throughout the United States. Mitigation strategy should not be chosen from a list of vulnerability reduction strategies or from a list of possible mitigations (INL, 2010). In the critical infrastructure, as many mitigation techniques should be employed as reasonably possible. If a number of security measures are implemented, the probability of an attack circumventing the security defenses is reduced. The higher the number of security measures, the higher the chances that the gaps are filled. There are operational and risk differences between the ICS and IT systems. This creates the need for increased sophistication in cyber security. This requires forming a cross-functional team of control engineers, ICS operators, and IT security professionals who must work closely together. The security threats to the ICS in the energy infra structure can be mitigated by patch management, by eliminating unnecessary and unsafe services, by implementing strong authentication and integrity checks. In addition, they should secure applications that accept network traffic. Organizations and ICS vendors need to create a culture of cyber security (INL, 2010). The developers should be trained in secure coding. This will lead to fewer security patches and quicker patch response time, thereby generating greater customer confidence and loyalty. Security patches should be immediately provided to the affected customers by the ICS vendors. The known vulnerabilities and weaknesses in the system should be identified and continuous monitoring can help the system administrators to catch and block attempts to prevent the damage from taking place. Firewalls, IDS, and antivirus solutions should be configured at all possible locations. Poor password management has been cited as one of the reasons of the cyber attacks. Default passwords provide easy access to the equipment that controls the process. Passwords should not be auto-generated but created from passphrases or other memorable means (INL, 2010). GAO suggests key strategy improvements as identified by cybersecurity experts: (Source: Wilshusen, 2010). Banks have to move away from technologies that rely on common web browsers. Handheld optical readers can be used to take a picture of visual cryptogram to authorize any cash transfers (Acohido, 2010). Banks are also asking personal questions and they are expected to get tougher which would not be known to cyber criminals. These questions are derived from data collected by the Big three credit bureaus Experian, Equifax and TransUnion and by the data aggregators LexisNexis and Axiom. The consumers too have to participate by updating their latest contact details and following bank instructions. The cyber criminals are not interested in the people engaged in online shopping but in the databases. Hence, consumers should be extremely cautious and keep regular checks on the bank statements and credit reports (FBI, 2006). The Financial Services Information Sharing and Analysis Center (FS-ISAC) organizes CAPP (Cyber Attack against Payment Processes) with the aim to help respond to attacks against the financial services sector. The CAPP found that about 85% banks and the financial institutions are able to recognize the attack on the first day itself (ISAC, 2010). By the second day 95% of the banking and financial institutions realize that their consumers and business customers have become victims. To prevent future phishing and account takeover attacks, the financial institutions (FI) suggest multi-factor authentication, transaction and daily limits and dual control. The FI and the business/government authorities also recommend Qualified Security Assessor (QSA) audits of third party processors that maintain checking account data. Overall, to mitigate risks and attacks in the financial sector, employees and customers have to be educated on the risks and computer best practices. Internal relationships should be promoted along with information sharing. A dedicated computer should be installed for online banking and initiating payments. Best practices in information security technologies should be implemented that could detect and predict fraud. They should have the ability to react promptly and implement and test a mitigation plan. Banks and other FIs should also work towards development of long-term infrastructure solutions. Continuous monitoring and assessment of IT software and hardware supply chain is very essential. The FIs should also partner with law enforcement and be alert to understand, prepare and react. Most importantly, the organizations should have a culture of cyber security and implement as many number of mitigation strategies as possible. References: Aaron, G., & Rasmussen, R. (2010). Global Phishing Survey: Trends and Domain Name Use 2H2009. An APWG Industry Advisory. Retrieved from: http://www.antiphishing.org/reports/APWG_GlobalPhishingSurvey_2H2009.pdf Acohido, B. (2010). Banks Urge Customers To Help Stop Cyberattacks. Retrieved from: http://www.enterprise-security-today.com/story.xhtml?story_id=74578&page=1 Baldor, L.C. (2010). New Threat: Hackers Look to Take Over Power Plants. Retrieved from: http://abcnews.go.com/Business/wireStory?id=11316203 Butters, G. (October 10, 2003) Expect terrorist attacks on Global Financial System. Retrieved from: http://www.theregister.co.uk/content/55/33269.html Cashell, B., JAckson, W.D., Jickling, M., & Webel, B. (2004). The Economic Impact of Cyber-Attacks. CRS Report for Congress Dynes, S., Andrijcic, E., & Johnson, M.E. (2006). Costs to the U.S. Economy of Information Infrastructure Failures: Estimates from Field Studies and Economic Data. Proceedings of the Fifth Workshop on the Economics of Information Security. FBI. (2006). PROTECT YOUR INFORMATION - Personal Data is Cyber Treasure. Retrieved from: http://www.fbi.gov/page2/may06/debit_breach051506.htm Glaessner, T., Kellermann, T., & McNevin, V. (2002). Electronic Security: Risk Mitigation in Financial Transactions Public Policy Issues. World Bank Policy Research Working Paper 2870. Retrieved from: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=636234 Gorman, S. (August 3, 2010). Grid Is Vulnerable to Cyber-Attacks. Retrieved from: http://online.wsj.com/article/SB10001424052748704905004575405741051458382.html INL. (2010). NSTB Assessments Summary Report: Common Industrial Control System Cyber Security Weaknesses. Office of Electricity Delivery and Energy Reliability. Retrieved from: http://www.fas.org/sgp/eprint/nstb.pdf IOActive. (2009). Smart Grid Systems Security Assessments. Retrieved from: http://www.ioactive.com/services_grid_smart.html ISAC. (2010). CAPP EXERCISE EXECUTIVE SUMMARY. Retrieved from: http://www.fsisac.com/files/public/db/p243.pdf Jensen, E.T. (2010). Cyber Warfare and Precautions Against the Effects of Attacks. Texas Law Review. 88 (7), pp. 1533-1569 Krebonsecurity. (2010). Computer Crooks Steal $100,000 from Ill. Town. Retrieved from: http://krebsonsecurity.com/2010/04/computer-crooks-steal-100000-from-ill-town/ Mann, J. (April 21, 2020). Panetta Warns Cyber Attack Could be Next Pearl Harbor. Retrieved from: http://www.thenewnewinternet.com/2010/04/21/panetta-warns-cyber-attack-could-be-next-pearl-harbor/ McGavran, W. (2009). Intended Consequences: Regulating Cyber Attacks. Tulane Journal of Technology & Intellectual Property, 12, pp. 259-275 Messmer, E. (June 02, 2010a). Cyberattacks seen as top threat to zap U.S. power grid. Network World. Retrieved from: http://www.networkworld.com/news/2010/060210-nerc-cyberattack-power-grid.html?page=2 Messmer, E. (July 26, 2010). Cybercrime costs a business $3.8 million/year, study finds. Network World. Retrieved from: http://www.networkworld.com/news/2010/072610-cybercrime-costs.html ScanSafe. (2009). Critical Infrastructure Twice as Likely to be Targeted by Cybercriminals. Retrieved from: http://www.scansafe.com/agtr_2009 Tuutti, C. (May 27, 2010). Net Crooks Defraud Service Members with Phishing Site. Retrieved from: http://www.thenewnewinternet.com/2010/05/27/net-crooks-defraud-service-members-with-phishing-site/ Vijayan, J. (2010). Stuxnet malware targets utility systems. Retrieved from: http://www.computerworld.com/s/article/350976/New_Malware_Targets_Utility_Control _Systems Wilshusen, G.C. (2010). CYBERSECURITY: Continued Attention Is Needed to Protect Federal Information Systems from Evolving Threats. United States Government Accountability Office. Read More