A cyber security researcher on a jet hacks into flight controls via its in-flight information system.
A practical joker cracks the code for programming electronic highway road signs.
An organized crime group hides drugs in an ocean shipper’s legitimate cargo and uses hackers to gain data needed to steal the cargo containers in port.
A cybercriminal gains access to a railroad’s signaling system by pretending to be a rail company executive and sending out bogus emails to other employees.
Each of these scenarios demonstrates what happens when a cybersecurity vulnerability common in transportation and other critical infrastructure systems is discovered and abused: a weak password. The first three actually occurred; the fourth is a terrifying possibility.
Digital Invaders of Critical Infrastructure
Cyber-insecurity lurks in the air, on the road, in tunnels, and on bridges, along railroad tracks and crossing the ocean. Fears are well-founded regarding the digital invasion of our nation’s transportation systems as their various infrastructures become more dependent on the “Internet of Things“.
In an article about the U.S. Federal Government’s National Strategy for Transportation Security, Roads & Bridges magazine notes that protecting the nation’s transportation systems requires “broad-based commitments to improve cybersecurity awareness and the use of best security practices by individuals, industries, and government agencies.” Many security experts would include the use of password management software as one of those best practices.
November is Infrastructure Security and Resilience Month. It is a good time for government agencies and industries to consider enterprise password management as a frontline tool in helping to secure the safety of critical infrastructure, including transportation systems. We don’t want the huge data breaches that have besieged retail and social media in recent years to hit the transportation sector and other critical systems on which we rely daily.
Password Managers Help Eliminate Stolen & Weak Passwords
In Verizon’s 2016 Data Breach Investigations Report, 63 percent of confirmed data breaches involved leveraging weak, default, or stolen passwords.
We no longer live in a time when it is safe and acceptable to use predictable passwords, such as “123456” or “password”. Weak passwords are as easy to steal as they are to remember.
A stolen password can result from an attack as simple as a spear phishing email, in which the writer pretends to be a co-worker in order to burrow into an organization’s documents and operations. In the case of critical infrastructure — such as air traffic control, highway transportation, power grids and water management — these files may lead to information necessary to hack control systems that protect lives.
An Example of the Worst Case Scenario
In one of the worst breaches of critical infrastructure to date, hackers used a phishing attack to gain access to the controls of an electrical power utility in the Ukraine on December 23, 2015.
As Wired magazine noted, it was “the first confirmed hack to take down a power grid.” The hackers had stolen employee credentials for months to eventually create a blackout that left 230,000 customers cold and in the dark for up to six hours.
One of the electric power company’s errors was allowing workers to log into grid controls without using two-factor authentication. Wired reported that this made it easier for hackers to hijack the credentials of these workers.
Similarly, reporting on a 2013 breach of a dam in upstate New York, NBC noted that an Iranian hacker used a legal search engine designed to find control systems with inadequate cyber security. The NBC report added that systems reliant on “simple passwords or no passwords at all” are easily accessed.
Work in the transportation industry? Start using a password manager.
Understanding the role and tools of good password hygiene in avoiding system breaches is imperative for anyone working in critical infrastructure industries or agencies. Often, weak password practices leave the door open for cyber-attacks. Let’s consider the hacks mentioned at the beginning of this article:
In-Flight Entertainment: In 2015, Wired reported about the cybersecurity researcher who virtually hacked jet operating systems and then, at least once, committed an actual hack. An FBI search warrant, citing admissions from the researcher, stated that he had used easy-to-access default IDs and passwords to reach operation controls through in-flight entertainment systems. The warrant indicated that he did this more than 12 times between 2011 and 2014 and, on one occasion briefly changed the jet’s movement.
Roadway Joke: Next, consider the Austin, Texas hacker who messed with electronic roadway signage this past spring just to be funny. The Statesman newspaper reported that the perpetrator guessed the password necessary to access a reader board. He altered a message about road construction to say, “Drive Crazy Yall.” Now he faces a potential 10-year prison sentence. It isn’t difficult to imagine how this kind of hack or interference with other traffic control systems could be used for malevolent purposes.
Shipping Hack: In 2013, the BBC reported that sophisticated hackers may have worked for two years with cocaine and heroin traffickers to breach IT systems at Belgium’s Port of Antwerp. It began with “malicious software being emailed to staff.”
Railroad Worries: This leads us to the fourth scenario in the opening of this post concerning a breach of a railroad’s signaling system. Although fictitious, it’s obvious that email phishing of company and governmental managers is a very real threat, and the potential consequences could be dire. Take, for instance, the Security Affairs newsletter, which notes that in a 3-year study of European railway communication networks, a group of cyber security researchers discovered vulnerabilities including “lack of authentication protections” and use of passwords easily accessed from source code.
All of these open doors are ones that password management software can slam shut for transportation and other crucial infrastructure systems. Let’s not be careless.
How a Password Manager Can Thwart Cyber Attacks on Critical Infrastructure
Password management tools are a great prevention tool to help correct weak password practices, and help strengthen the overall cyber security of an organization.
Passwords are similar to house keys. You shouldn’t share them carelessly because that can lead to break-ins by bad guys you would never want in your home. A strong password manager program provides several layers of security, including master passwords known only to account owners, digital keys that verify whether an attempt to unlock an account is coming from a device owned by the account holder and two-factor authentication.
In the most advanced password management programs, like Dashlane, only the individual account owner possesses the master password to enter his or her account. An account can store all of your complex passwords related to your personal life, as well as work. The only password the account owner needs to remember is the master password.
Most importantly, password managers are essential for thwarting a number of cyber attacks, including phishing and social engineering attacks, spyware and keyloggers (thanks to their auto-fill features), web app attacks, dictionary attacks, brute force attacks, malware, identity theft, POS intrusions, and much more.