Posted by: David Scott
bank card, credit card, industrial control systems, industrial plant, industrial systems, IT security, power companies, power company, power plant
According to the Associated Press (AP), hackers are targeting power plants in order to seize control. Presumably, on my part, “control” here means to disable them and create power outages to large areas; I doubt they’re looking to deliver benevolence through efficiencies and reduced bills, for example.
In fact, malicious code and worms are targeting all manner of industrial plants and systems. The Department of Homeland Securtiy (DHS) is urging companies to improve security practices. When reviewing weaknesses as identified by the DHS, it’s rather amazing to see that one of the highlighted security breaches, and spread of a botnet to almost 100 computers, was accomplished through an infected file as delivered to a laptop via a flash drive. The user then connected his laptop to his company’s network and the botnet spread.
It would seem that in this day and age there would be a regularized update of patches for vulnerabilities, but also: In the example cited, the user was returning from an outside conference where the laptop had been in use. I suggest a thorough review by IT for any items that have been offsite, prior to granting access to the overall enterprise.
Perhaps it’s time for monthly security refreshers for all staff; the time involved is a burden, for sure, but it’s time well spent. Perhaps a 10 minute security brief by the IT leader at the end of the monthly all-staff meetings is prudent. For any particular high-profile malware that needs immediate addressal, ad-hoc meetings or e-mail blasts could warn users to be especially cautious, particularly within scopes and activities the malware seems to target.
Being that a good portion, perhaps most, of security breaches are due to human actions (and error), there’s something I’ve noticed: When you call your bank, credit card company, etc., they ask you a security question (it might be mother’s maiden name, name of your first school, etc.). Several questions usually follow on: What is your date of birth? What are the last four (or six) digits of your card? What are the three numbers on the back? What is the expiration date? However, how do you vet the party on the other end of the line that’s soliciting (and collecting) all of this personal, and authenticating, information?
My next post will raise a rather interesting security question, along with a prediction…
August 5th: On this day in 1861, the U.S. levies its first income tax (3% of incomes over $800).