Saryu Nayyar is CEO of Gurucul, a provider of behavioral security analytics technology and a recognized expert in cyber risk management.
getty
The early December sabotage and subsequent shutdown of two North Carolina power substations is a reminder of how vulnerable our critical infrastructure (CI) facilities are. Damage from gunfire knocked the stations offline, leaving tens of thousands of customers in the dark for days.
This event was just the latest manifestation of attacks against CI in the U.S. Just a few years ago, the Colonial Pipeline was hit with a ransomware attack that led to the closure of the major pipeline for nearly a week. And two years ago, a hacker broke into the systems of a California water treatment plant and deleted programs used to cleanse the water. Fortunately, the attack was discovered, and the files were restored before real damage was done.
Successful attacks may not happen all that often, but that doesn’t mean the threats aren’t there. In fact, there are millions of attempted attacks—both physical and cyber—against the country’s CI each year.
Concerns about such threats led the Federal Bureau of Investigation (FBI) to create InfraGard, a public/private alliance for national infrastructure protection. The program’s mission is “to enhance our nation’s collective ability to address and mitigate threats to United States critical infrastructure by fostering collaboration, education, and information-sharing through a robust private sector/government partnership.”
InfraGard members largely come from 16 different CI sectors, ranging from energy and financial services to water and wastewater systems. More than 80,000 self-registered members partake in the industry-oriented social network that is meant to be a source of trust for those charged with protecting the nation’s CI against all sorts of threats.
When Trust Turns To Rust
But trust can be broken, as it was just recently when a hacker revealed he had misrepresented his identity to join InfraGard and subsequently stole and listed for sale the membership database.
According to security researcher Brian Krebs, the hacker, who calls himself USDoD, used the identity of a financial services CEO to register to become a member of InfraGard. He provided the real name, social security number, date of birth and phone number of the legitimate CEO. The hacker also gave an email address that he controlled. The FBI then did its usual vetting of a prospective member to verify that this person should qualify for membership. Within months, USDoD received an email at the fake address confirming “the CEO’s” membership in InfraGard. He was provided with initial login instructions.
Once logged into the members-only system, the hacker used a common API to access information about other members. He had a friend write a script to siphon off that data through the API. It’s now for sale on the Dark Web.
The troubling thing about this data tranche is that it contains the names and contact information of the highest-ranking security people within the major companies and agencies that constitute the nation’s critical infrastructure. Now, these people can be spear-phished, or the data can be otherwise used by, say, nation-states that want to penetrate energy facilities, financial systems, chemical plants, wastewater treatment plants and so much more. Even more troubling: despite the FBI knowing about the breach, the InfraGard members have been learning about it (so far) through the news and not directly from the FBI.
Let’s Learn From This Event
Aside from this breach being quite an embarrassment for the FBI, there are some lessons for us all that can be taken away from the incident.
For a sensitive system that allows for the self-registration of members, the applicants must be well-vetted. In this case, they were vetted—by the FBI, no less—but the process was still lacking. The loophole was the email address that looked legitimate but was under the control of the hacker. If InfraGard were a truly critical source of security information (members say it isn’t), it would be better to use a different approach to signing up new members—maybe doing away with self-selection for membership or doing in-person registration and vetting. The FBI, after all, does have offices and agents all across the country that could positively verify a person’s identity before giving access credentials.
Breach notification is important. In fact, it’s required by law. Brian Krebs is an excellent source for cybersecurity-related information, but he shouldn’t be considered a source for breach notification. Some InfraGard members reported they initially learned that their information was compromised (and is for sale) by reading Krebs’ story online rather than by being directly notified by the FBI. The time to plan for breach notification is before a breach happens so that communication can be direct and timely. InfraGard members whose data was stolen must now be hyper-vigilant about spear-phishing attempts and other uses of their personal data.
As for the data itself, better protection is needed around it. While I have no knowledge of the current state of the service’s data security, it’s obvious that InfraGard could benefit from using solutions such as data loss prevention (DLP) and API protections, as outlined by OWASP. DLP can detect and prevent the removal of vast amounts of data in certain circumstances. Since the weak point, in this case, was an API that is designed to fetch and serve member data, strengthening the controls of how the API functions might be more useful. This should be a wake-up call for every company since APIs have become so critical in most modern applications.
Breaches happen every day, and we must take the time to learn from them and what can be done differently to prevent the subsequent breach.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
