The U.S. Department of Homeland Security has the responsibility of working with the owner/operators of our country’s critical infrastructure (CI) assets, in order to protect these systems from the increasing threats emanating from cyberspace.
They track these assets but the exact number of CI assets is designated by DHS “For Official Use Only,” so it can’t be reported here. Needless to say, many of the CI assets DHS has identified have some sort of electronic controls associated with them.
In late June, US-CERT issued a cybersecurity alert warning of the danger of not changing the vendors’ default passwords on Internet connected devices. What many cybersecurity practitioners would call the basics are all too common problems that expose our critical infrastructure to hostile actions by cyber attackers.
Add to that what took place at a cyber threat briefing given to a CIO and his staff at a critical infrastructure provider. One of the CIO’s direct reports stated that most of the patches released by commercial software vendors cannot be applied because “they break things.” It did not appear from the conversation that there was any remediation of those systems so that the patches could be applied.
Those commercial software patches often correct vulnerabilities that have been exploited by cyber attackers in the past. Even more concerning is that even after this exposure/risk was highlighted, there was no sense of urgency to address the issue.
Changing default passwords and routinely applying commercial software patches are basic aspects when it comes to modern system security. If our nation’s critical infrastructure providers are struggling with those basics, you have to wonder if any of our critical systems are really prepared for the cyber threats we face today.