The Department of Homeland Security (DHS) has identified China as the possible origin of an ongoing cyber attack targeting US gas pipeline companies, and specifically a group that managed to hack into RSA security in 2011.
The cyber attack could be a continuation of the “Night Dragon” attack in February 2011 on McAfee computer security firm, which was also traced back to China. The objective of that attack was to obtain financial data from oil and gas companies.
Chinese officials deny that there is any evidence that the cyber attack is coming “directly” from China.
At the same time, US officials have announced that they will be working together with Chinese defense officials on cyber security issues to “avoid any miscalculation or misperception that could lead to crisis in this area”. This new cooperation deal follows Washington’s public accusation last year that China was stealing sensitive high-tech data for economic gain.
The cyber investigation also coincides with a survey released by Carnegie Mellon University CyLab, showing that US energy infrastructure is the least prepared for cyber attacks, while financial institutions are the best prepared in terms of cyber security standards.
The CyLab 2012 survey is based upon results received from 108 respondents at the board or senior executive level from Forbes Global 2000 companies. The survey found that “boards are not actively addressing cyber risk management”, and there is still a “gap in understanding the linkage between information technology (IT) and enterprise risk management.”
Specifically, the survey notes that fewer than two-thirds of the companies had full-time personnel in key privacy and security roles “in a manner that is consistent with internationally accepted best practices and standards”.
One of the most troubling aspects of the survey was how the energy sector rated in terms of cyber security—not well at all, in fact, the worst. According to the survey, energy and utilities sector respondents indicated that their boards “never” address vendor management issues.
Among other revelations, the survey noted that “the energy/utilities sector also places a much lower value on board member IT experience than the other sectors, which is puzzling since their operations are so dependent upon complex supervisory control and data acquisition (SCADA) systems.”
The survey and the investigation into the ongoing cyber attack are come against the backdrop of a legislative battle over cyber security standards and information-sharing. In late April, the House of Representatives pass the Cyber Intelligence Sharing and Protection Act (CIPSA), but the President is threatening to veto that bill, on the recommendation of the White House Office of Management and Budget.
While in vetoing the bill President Obama appears to come out on the side of privacy advocates who oppose CIPSA, the real criticism of the bill is that it fails to obligate companies in charge of critical infrastructure to engage in some very costly cyber security standardizations.
By. Charles Kennedy for Oilprice.com