Computer glitches expose vulnerability of critical infrastructure

July 10, 2015
Outages at NYSE, United Airlines and WSJ highlight serious security flaws

Operations at the New York Stock Exchange, United Airlines and Wall Street Journal were severely impacted on Wednesday by what officials say are unrelated technical glitches in their respective computer systems. While authorities say the issues do not appear to have been caused by hackers, the fact that they were able to grind to a halt a significant portion of the nation’s financial and transportation infrastructure has raised questions about the security of these highly-critical systems and their ability to be brought back online in the event of a significant cyber terror attack.

Jerry Irvine, a member of the National Cyber Security Task Force and CIO of Chicago-based IT services provider Prescient Solutions, said that while the outage at the NYSE, which officials there say appears to be the result of a software issue, is not hard to believe, the computer problem suffered by United, which the airlines claims was the result of a single router failure, seems much less plausible.

“For a single router, as they’re saying, to affect an entire enterprise organization globally is really difficult to comprehend,” said Irvine. “That’s not a realistic excuse or reason for what happened. If an entire datacenter had gone down that was coordinating the communications for their facility then potentially I could see that, but to claim that a single router brought down their entire enterprise then either their systems are built incorrectly and their staff is incapable or there was something else going on and I don’t believe the first two scenarios. They’ve got great systems and they’ve got great staff, so I think something else is at play.”

Just last month, the Polish airline LOT was forced to ground 10 flights after hackers infiltrated their IT systems.

Pierluigi Stella, chief technology officer of managed network security services firm Network Box USA, also had difficulty believing that the United Airlines outage was strictly a technology issue and said that, more than likely, it was the result of human error in which someone may have broken the configuration of the router.

“Therefore, the issue isn’t really our dependency on technology, but rather, our dependency on those who maintain and configure said technology,” said Stella.

However, he wasn’t so quick to discount the idea that a single point of failure could be responsible for such widespread disruption.

“The internet is so interconnected that a small error in one place can rapidly bring many other things to a screeching halt,” added Stella. “In 2005, someone in the Czech Republic made a small mistake on a router and took down half the internet for several hours.  Yes, we are that interconnected.  In this morning’s case, the issue affected only United, so it was an internal router; but it still demonstrates the fact that technology needs to be operated with caution and that, ultimately, the human element is always the weakest link.  No matter how many redundancies you set in place and how much money you invest, if someone makes a mistake in a configuration, you end up with some serious problems.”

Irvine said that one of the reasons that the computer networks of airlines and other critical infrastructure providers remain ripe for cyber-attacks is due to the fact that some of them are still using outdated systems which oftentimes remain unpatched against new and evolving threats.

“In every organization there are still old, legacy systems that are not being updated,” explained Irvine. “The government’s employee database that was recently breached was because of old systems that are really no longer supported. Systems like Windows XP or Windows Server 2000 or 2003, these systems are no longer supported and yet a great amount of the nation’s critical infrastructure is still built on them. They need to be updated, they need to be patched, managed and need to be built in a redundant factor and they are not. That’s a well-known fact. Much of the nation’s critical infrastructure is opened directly to the internet and, because of legacy systems, they have significant vulnerabilities.”

Aside from keeping these legacy systems updated, Irvine said another common problem is that computer chips within these various industrial control systems have no security built into them which makes them vulnerable when they are exposed to the internet.

“What we need to do is segment critical infrastructure devices from being accessible through the internet or implement new systems that have security built into them to perform those functions,” he said.

Both the NYSE and United Airlines have various cybersecurity standards established by regulatory agencies that they have to comply with but, according to Irvine, we have now reached a point where compliance supersedes security.

“I think having all of these individual compliance environments really takes away from a company’s ability or direction to really secure their environment. They are more worried about being compliant than being secure and that is the concern,” said Irvine. “There needs to be more communications with companies and the federal government and collaborative information sharing to know when attacks are happening, what’s causing them and what’s the best method to mitigate them from occurring.”    

Although none of these glitches have been connected to hackers, the fact that a breach is the first thing people think of when there is a technical malfunction somewhere speaks volumes, according to Jonathan Sander, strategy and research officer at STEALTHbits Technologies.

“If you went to a clothing store on Main Street and there was a ‘we’ll be back’ later sign in the window, would you assume a thief had broken in? It’s very clear that the good guys are not winning the PR battle in the digital security world. We all assume the bad guys can take down any sized company at any time,” said Sander. 

About the Author

Joel Griffin | Editor-in-Chief, SecurityInfoWatch.com

Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com, a business-to-business news website published by Endeavor Business Media that covers all aspects of the physical security industry. Joel has covered the security industry since May 2008 when he first joined the site as assistant editor. Prior to SecurityInfoWatch, Joel worked as a staff reporter for two years at the Newton Citizen, a daily newspaper located in the suburban Atlanta city of Covington, Ga.