By Jim Finkle
(Reuters) - Cybersecurity researcher HD Moore discovered he could use the Internet to access the controls of some 30 pipeline sensors around the country that were not password protected.
A hacking expert who helps companies uncover network vulnerabilities, Moore said he found the sensors last month while analyzing information in huge, publicly available databases of Internet-connected devices.
"We know that systems are exposed and vulnerable. We don't know what the impact would be if somebody actually tried to exploit them," said Moore, chief research officer at the security firm Rapid7.
U.S. national security experts used to take comfort in the belief that "rational" super powers like China or Russia were their main adversaries in cyber space. These countries may have the ability to destroy critical U.S. infrastructure with the click of a mouse, but they are unlikely to do so, in part because they fear Washington would retaliate.
Now, concerns are growing that "irrational" cyber actors - such as extremist groups, rogue nations or hacker activists - are infiltrating U.S. systems to hunt for security gaps like the one uncovered by Moore. These adversaries may not be as resourceful, but like Timothy McVeigh's bombing of an Oklahoma federal building in 1995, it is the element of surprise that is as concerning.
Former U.S. Homeland Security Secretary Michael Chertoff said he was worried the first destructive cyber attack on U.S. soil might resemble the Boston Marathon bombings in the sense that the suspects were not on the government's radar.
"You are going to get relatively modest-scale, impact attacks from all kinds of folks - hactivists, criminals, whatever," Chertoff said at the Reuters Cybersecurity Summit last week. "Are they going to take down critical infrastructure? They might."
Emerging cyber actors that security experts say they are most concerned about include Iran, believed to be behind the ongoing assaults on U.S. banking websites, as well as a devastating attack on some 30,000 PCs at Saudi Arabia's national oil company last year.
North Korea is also quickly gaining cyber skills, experts say, after hackers took down three South Korean broadcasters and two major banks in March.
Another emerging actor is the Syrian Electronic Army, an activist group that has claimed responsibility for hacking the Twitter accounts of major Western media outlets, such as the Associated Press last month, when its hackers sent a fake tweet about explosions at the White House that briefly sent U.S. stocks plunging.
The U.S. power grid is the target of daily attempted cyber attacks, according to a report by California Representative Henry Waxman and Massachusetts Representative Ed Markey released at the House Energy and Commerce Committee's cybersecurity hearing on Tuesday.
More than a dozen utilities report daily, constant or frequent attempted attacks, ranging from unfriendly probes to malware infection, according to the report. (To read the report, see http://r.reuters.com/sej38t)
Gerry Cauley, chief executive of the North American Electric Reliability Corp, told the Reuters Cybersecurity Summit that computer viruses have been found in the power grid that could be used to deliver malicious software to damage plants. NERC is a non-profit agency that oversees and ensures the reliability of bulk power system in the region.
Experts say that with so many unknown hackers trying to infiltrate U.S. industrial control systems, they fear someone somewhere - perhaps even an amateur - will intentionally or unintentionally cause damage to power generators, chemical plants, dams or other critical infrastructure.
"Even if you don't know how things actually work, you can still wreak havoc by crashing a device," said Ruben Santamarta, a senior security consultant with IOActive. "Probably in the near future we may face an incident of this type, where the attackers will not even know what they are doing."
Santamarta has identified hundreds of Internet-facing control systems -- on the grid, at water treatment facilities and heating and ventilation systems for buildings including hospitals. He has also uncovered bugs built into industrial control equipment.
The Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team, known as ICS-CERT, last week warned of a flaw that Santamarta found in equipment from Germany's TURCK, which is used by manufacturers and agriculture firms in the United States, Europe and Asia.
The agency said attackers with "low" hacking skills could exploit the flaw, letting them remotely halt industrial processes. It advised customers to install a patch that would protect them against such attacks.
Director of National Intelligence James Clapper told a Senate committee in March that "less advanced, but highly motivated actors" could access some poorly protected control systems. They might cause "significant" damage, he warned, due to unexpected system configurations, mistakes and spillovers that could occur between nodes in networks.
'A MATTER OF TIME'
ICS-CERT posts dozens of alerts and advisories about vulnerabilities in industrial control systems on its website each year. Companies whose products were named in their alerts include General Electric Co, Honeywell International Inc, Rockwell Automation Inc, Schneider Electric SA and Siemens AG.
Dale Peterson, CEO of industrial controls systems security firm Digital Bond, said infrastructure control systems are highly vulnerable to cyber attacks because designers did not take security into consideration when they developed the technology.
While hackers have yet to launch a destructive attack on U.S. infrastructure, plenty have the skills to do so. "I would say it is only because no one has wanted to do it," said Peterson, who began his career as a code breaker with the National Security Agency.
House Intelligence Committee Chairman Mike Rogers said terrorists are among the groups looking to acquire the capability to launch a cyber attack on U.S. infrastructure, but he believes they do not yet have that ability.
"You get the right person with the right capability committed to this and it's a game changer," Rogers told the Summit. "My concern is it's just a matter of time.'
Eric Cornelius, a former ICS-CERT official, said that operators in critical sectors including power, water, oil and gas sometimes do not implement security fixes recommended by equipment and software manufacturers in a timely manner because they need to take plants off line to do so and cannot afford the downtime.
Some plants lack sufficient security staff and technology to protect networks because they don't have adequate funds, said Cornelius, director of critical infrastructure for Cylance Inc.
A relatively unsophisticated hacker whose goal was to probe a network could unintentionally damage a system because aging networks are fragile and extremely sensitive, he said.
"That leaves these control systems insecure," he said.
(Reporting by Jim Finkle; Editing by Tiffany Wu and Leslie Gevirtz)