Cyber attacks targeting hardware

WASHINGTON - When Sony Pictures' computer systems were hacked in November last year, few realised that the problem went far deeper than the gossipy e-mail messages that were leaked or the delayed release of the movie The Interview.

While most think of the hacking as an attack on software, Sony's hardware was also hit, locking employees out of their e-mail boxes for weeks.

Security experts say that more attention should be paid to the physical threats posed by cyber attacks that cause power grid outages or manufacturing plants to shut down, for example.

On Tuesday, US President Barack Obama touched on the issue of cyber security during his State of the Union address, urging Congress to pass legislation to "better meet the evolving threat of cyber attacks, combat identity theft, and protect our children's information".

But Mr Shawn Henry, president of security company Crowdstrike Services, believes the President missed an opportunity to map out the larger risks. He said "the risks are greater than what the average American recognises".

"There are often physical attacks on hardware, on physical equipment, and this is the changing risk that people don't see," he said.

To illustrate this point, Mr Joe Weiss, managing partner of Applied Control Solutions, a control system cyber security consultancy, likened data theft to a highway patrol cop using a radar to find out how fast you are going.

But he added that the threats that we face now are more in line with "someone knowing your speed and remotely taking control of the gas pedal or steering wheel".

Mr Weiss said: "In IT, all you want to do is stop the information flow. In a control system world, you want to prevent them from taking over the system."

He is quick to point out that such attacks are not happening only in the US. The same computer systems for factories or power plants used in the US are also used in Singapore, he said.

"This is an international problem."

In the lead-up to the State of the Union address, the Obama administration has addressed some of these issues, although much of their focus has been on consumer protection and privacy.

For example, last week, Mr Obama revealed his legislative proposals to increase the sharing of cyber attack information between private companies and the government and to give law enforcers more teeth to investigate and prosecute cyber criminals.

Mr Ken Levine, president and chief executive of data protection company Digital Guardian, said sharing technical details of existing breaches would help to put others on alert.

"They can look for the same indicators of compromise in their environment and find them before significant damage is done," he said. Increased intelligence sharing would also "increase the sophistication and timing of our response".

Mr Chris Doggett, managing director of IT security company Kaspersky Lab North America, added that empowering law enforcers to pursue cyber crimes would act as a deterrent.

"One of the reasons that organised crime has turned to cyberspace and that we have seen such an exponential rise in attacks is that the risk to those who commit them is much lower than in physical crimes," he said.

But governments should not be alone in bearing the responsibility of preventing cyber attacks. Companies "have to assume they are going to get attacked" and do more to "secure networks with better defences", said Mr Daniel Vasquez, Japan country director of cyber security company Fortis Security International.

"Everything has to be protected - from personal information to the national power grid."

This article was first published on January 23, 2015.
Get a copy of The Straits Times or go to straitstimes.com for more stories.