AIMBlog_Logo_Resized

Raytheon Executive Warns Employers on Cybersecurity

Posted by Christopher Geehern on Sep 20, 2013 9:15:00 AM

The next victim of cyber crime or cyberterrorism may be a patient driving to a Boston hospital for a doctor’s appointment.

DugleLynn Dugle, President of Raytheon Intelligence and Information Systems, says that “white hat” engineers have hacked the wireless payment systems embedded in Boston parking meters. They have hacked the Toyota Prius or Ford Focus that the patient may drive to the hospital.

And they can potentially hack the pacemaker keeping the patient alive.

The Food and Drug Administration has documented “dozens of cybersecurity incidents affecting hundreds of medical devices,” Dugle told hundreds of business leaders at the AIM Executive Forum in Waltham this morning.

An increasingly networked, mobile and data-driven world economy has put organizations ranging from the U.S. military to the neighborhood restaurant at risk of theft by wire. Dugle said that nation states, criminal syndicates and lone hackers are distorting financial markets, accessing biotechnology secrets and even destroying the equipment on factor floors.

The cost of cyber espionage and cyber crime could be as high as $100 billion annually, according to Dugle, who runs $6 billion business with 17,000 employees charged with protecting computer networks that run the United States government, the military, the electric infrastructure, the financial system and broad swaths of private enterprise.  One quarter of all network security breaches occur in retail stores and restaurants; 20 percent take place at manufacturing, transportation and utility companies; and another 20 percent hit information and professional security firms.

Part of the issue, Dugle said, is the sheer volume of data created worldwide. More than 1.8 zetabytes of data were created globally in 2011, equivalent to 36 million years of high-definition television.

“Part of a protection strategy has to do with how much territory you have to protect. The bigger the territory, the harder it is to protect,” Dugle said.

What can employers do to make their operations secure? Dugle offered a three-part prescription:

  • Defend against Advanced Persistent Threat, which is a sophisticated and often invisible effort to target a network.  Dugle urged companies to audit and defend the most accessible entry points to their networks, most often employee smart phones and laptops.
  • Reduce Threats from Insiders . The best security standards and protocols in the world are meaningless if the people using them bend the rules, refuse to follow them or circumvent them. Leaks from former National Security Agency contractor Edward Snowden illustrate the magnitude of the threat from inside, Dugle said.
  •  Train employees to minimize cyber threats.  Raytheon has initiated bi-annual cyber training programs for 68,000 employees, according to Dugle, and has reduced by half employee click-throughs on malicious emails.

Topics: Cybersecurity, Issues, AIM Executive Forum

Cybersecurity and Employers - You're Going to Need a Bigger Lock

Posted by Christopher Geehern on Sep 9, 2013 9:01:00 AM

“Our country will, at some point, face a major cyber event that will have a serious effect on our lives, our economy and the everyday functioning of our society.”

CybersecurityThat sobering assessment came last week from outgoing Homeland Security Secretary Janet Napolitano.

“While we have built systems, protections and a framework to identify attacks and intrusions, share information with the private sector and across government, and develop plans and capabilities to mitigate the damage, more must be done, and quickly,” Napolitano said in a speech to the National Press Club.

It’s a message that government, employers and average citizens alike should take to heart. A recent study by the Center for Strategic and International Studies and the computer-security firm McAffee estimates that cybercrime and cyberespionage cost the U.S. economy more than $100 billion and 508,000 jobs each year.

It was more than a bit ironic that that Napolitano made her comments just as a hacker group called the Syrian Electronic Army gained control of The New York Times, Twitter and Huffington Post UK. The same group, a hacker collective that supports Syrian President Bashar al-Assad, claimed responsibility several weeks earlier for breaching the network of The Washington Post with a sophisticated phishing attack that resulted in one staff writer’s personal Twitter account being used to send out a Syrian Electronic Army message.

The computer networks that run the nation's electricity grid, financial system and national defense are under attack. So are the systems that run your company.

The collection of computer systems, telecommunication networks and mobile devices that, grouped together, make up the cyber realm are an increasingly popular target for nation states, criminal syndicates and even lone hackers sitting in coffee shops thousands of miles away. These hackers are pulling out personal identities, engineering specifications, social security numbers, money from banks and intellectual property - the blueprints for jobs in the next generation.

“Intuitively, I think each one of us understands that there's been a substantial expansion of the cyber domain from the desktop computer and traditional computer network to now, every air traffic control tower, warehouse, smart phone and even the automobiles we drive," said Lynn Dugle, President of Raytheon Company’s Intelligence, Information and Services business, who will discuss the global cyber threat at the AIM Executive Forum on September 20.

"This has meant more opportunity and productivity for our society but it has also meant more threats to the data, operations, machines and devices we have come to rely upon. As a result, every company, organization, and agency who presumes to have intellectual property, confidential information or essential operations on a network has an obligation to understand how that network is being used and how that network is being accessed."

The breadth of the cyber threat was underscored in February when the private security firm Mandiant issued a report detailing the ongoing campaign by the Chinese government to hack into American government and corporation Web sites. Mandiant asserted that its three-year investigation showed that a unit of the Chinese military, PLA Unit 61398, had breached 115 U.S. companies across 20 industries in sustained attacks of a year or more that in one case stole 6.5 terabytes of information from a single company. 

The Depository Trust & Clearing Corp., which processes U.S. stock trades, has identified cybercrime as the most significant threat to markets and governments around the world. A study by two financial industry organizations found recently that 53 percent of securities exchanges surveyed had been hit by a cyber-attack in the last year. About 89 percent of exchange executives said it represents a systemic risk.

Small wonder that 78 percent of 400 investors surveyed said they would be “somewhat or very unlikely” to invest in a company with a history of being targeted in cyber attacks.  

“In a modern digitalized world it is possible to paralyze a country without attacking its defense forces: The country can be ruined by simply bringing its Scada systems to a halt. To impoverish a country one can erase its banking records. The most sophisticated military technology can be rendered irrelevant. In cyberspace, no country is an island,” Toomas Hendrik Ilves, President of Estonia, wrote recently.

The threat is not limited to computers. The New York Times reported in 2011 that American and Israeli intelligence were apparently behind a computer worm called Stuxnet that severely damaged Iran’s nuclear centrifuges in 2010, setting back that nation’s controversial nuclear weapons program by several years. The Times asserted that Stuxnet, the most sophisticated cyberweapon ever developed, caused the centrifuges to spin out of control while playing back recordings of normal operations so technicians were unaware of what was happening.

And next time you’re driving down the Mass Turnpike, remember that your automobile is not simply a mass of glass and steel but a hackable network of computer-controlled electronics. Forbes magazine reported last month on the work of a Pentagon-funded project in which hackers have been able to gain control of the braking and other systems of cars that now routinely include Wi-Fi networks such as Onstar and SYNC.

The message to employers – you’re going to need a bigger lock.

AIM Executive Forum Lynn Dugle

Topics: Cybersecurity, Issues, AIM Executive Forum

Digital Espionage Stroke Raises Issues for Massachusetts Manufacturers

Posted by Christopher Geehern on Feb 3, 2011 2:32:00 PM

An extraordinary stroke of digital espionage by the United States may forever change the way manufacturing companies look at the security and vulnerability of their operations.

Manufacturing SecurityThe New York Times reported on January 15 that American and Israeli intelligence were apparently behind a computer worm called Stuxnet that severely damaged Iran’s nuclear centrifuges in 2010, setting back that nation’s controversial nuclear weapons program by several years. The Times asserted that Stuxnet, the most sophisticated cyberweapon ever developed, caused the centrifuges to spin out of control while playing back recordings of normal operations so technicians were unaware of what was happening.

It marked one of the first instances in which nations used computer malware to cause physical damage to the machinery of another. The Times reported that U.S. intelligence began by obtaining information about the vulnerabilities of the Siemens P.C.S.-7 controllers used to operate the Iranian centrifuges and then tested the scheme on Iranian-type machinery kept by by Israel.

The Siemens controllers are the same ones used by thousands of manufacturing companies around the world to operate industrial machinery. Computers drive virtually all advanced manufacturing by translating the electronic engineering of products and parts to computer numeric controlled (CNC) machinery to fabricate everything from paper to jet engines with astonishing tolerances.

“It’s like a playbook,” said Ralph Langner, an independent computer security expert in Hamburg, Germany, who was among the first to decode Stuxnet. “Anyone who looks at it carefully can build something like it,” he told the Times. Mr. Langner is among the experts who express fear that the attack legitimized a new form of industrial warfare, one to which the United States is also highly vulnerable.

The vulnerability of computer-controlled manufacturing machinery is especially troublesome for Massachusetts, where the manufacturing sector is both highly automated and global in scope. Walk around any Massachusetts factory floor and you’re likely to see five-axis machining centers, printing presses or plastic injection-molding machines with almost as much computer hardware and software as tool bits.

The Stuxnet attack ultimately opens up a broad new set of security concerns for manufacturers who until now thought the worst consequence of a computer virus was crashed laptops. What happens now that a business competitor, a disgruntled employee or some hacker sitting in an Internet café in Asia can write computer code capable of making multi-million dollar production machinery run off the rails?

There is, unfortunately, a growing body of answers to that question. Cyber attackers in recent years have shut down nuclear plants, municipal water systems, a tram system in Poland and even the traffic lights in Los Angeles.

As early as 2008, Siemens and the Idaho National Laboratory told a conference: “Currently, a cyber attack on industrial control systems is one of the only ways to induce real-world physical actions from the virtual realm of the Internet. This is leading to an increased level of interest in industrial control systems by ‘black hat’ groups.”

The message to manufacturers – you’re going to need a bigger lock.

 

Topics: Cybersecurity, Manufacturing, Massachusetts Manufacturing

Subscribe to our blog

Posts by popularity

Browse by Tag