An attack by the adversary was imminent. Radio traffic indicated that something big was in the works. The targeted military had broken their adversary’s code and identified the target of the attack, simply referred to as “AF.”
A successful military operation requires learning anything that could affect the outcome. Some seemingly insignificant information may require a change in tactics and may affect the go/no-go decision. In a military operation, the sides usually know each other because they are continuously sizing each other up.
Understanding the opponent’s encryption provided a significant advantage. If the target could be identified ahead of time, a large force could be in place for the battle. If they guessed incorrectly, the wrong target would be defended and the actual target would be lost.
The military hatched a plan to plant false information in routine radio communication from the suspected target. They sent an innocuous message saying there was a shortage of fresh water at an island military base and that more fresh water was needed immediately. The message was a routine logistical matter that wasn’t overtly tactical, yet it was important. Soon, they intercepted encrypted radio communications indicating that AF had a fresh water shortage—they now had confirmation of the target. This message turned the tide for one of the most decisive battles of World War II, the Battle of Midway.
Several years ago, IEEE Spectrum published an article about spying in the Cold War. It indicated that the United States had found gathering intelligence on the Russians had become very difficult. However, encryption was not as sophisticated in countries such as East Germany, Poland and Lithuania. So, the U.S. government focused its resources there, which enabled it to put together a pretty accurate picture.
Both of these cases point out that if a facility is important enough, it should be protected from intruders. The Midway event exploited the fact that an enemy would look for vulnerabilities in routine, unimportant areas. The Cold War espionage took advantage of the communications that weren’t considered important enough to protect. This can be a fatal mistake.
Hacking isn’t new
People mistakenly think that we weren’t subject to hacking before everything was connected to the internet. However, there were attempts to hack into the telephone network as early as the 1950s. By the 1960s and 1970s, it became an attractive target for a loose-knit group known as the “phone phreaks.” They were fascinated by how the network functioned. Some of their initial information was found in technical manuals obtained by dumpster diving, and some of the braver souls would impersonate telephone employees to get information.
At the time, the idea of hacking into and manipulating the telephone network was unthinkable. Telephone workers would probably have been very willing to talk to anybody about the technology, so what was the harm?
Some phone phreaks liked the challenge of manipulating call-routing technology, using what they learned to design equipment to avoid toll charges for long-distance calls. Some even learned how to generate work orders. Eventually, the FBI got involved, resulting in a number of arrests.
The biggest problem was the failure to recognize this was a security problem. Who would want to hack into the phone network?
The world wide web and the internet of things (IoT) have revolutionized how we get information and communicate with each other and with devices. Advantages of IoT far outweigh the risks, but we still need to be aware of those risks. Today, the easiest way to attack a target is as simple as getting someone to “open the door” to a network.
Cyberattacks can be an all-out assault on a target but most often begin with phishing emails. Sometimes, they begin when an employee goes to the wrong website. Once the door is opened, hackers can search the network to find vulnerabilities. Every employee who has access to a computer is vulnerable. While the company email is often a point of attack, many employees check their personal email while at work, creating another point of vulnerability. The recent shift toward telecommuting may have increased the exposure of the host network through an employee’s home network.
Unlike the Battle of Midway, we often don’t know who the enemy is and don’t have a way to force them to reveal themselves. Government websites are frequently attacked. Commercial websites may be attacked to gain competitive information, obtain credit card information, reach financial assets, launch a ransomware attack and more.
When I first went to work for NFPA, we had a very open building. It was nice, but as NFPA started to promulgate security standards (NFPA 730 and 731), the need for increased security became clear. Like many companies, we adopted card-key access. The system works well. It also works with the printers around the building, providing a higher level of security because you can supervise sensitive print jobs and pick up a job at any free printer on the network.
One day, I received an email purportedly from a consultant working with the vice president of information services (and it named him). I don’t recall what it asked us to do, because I didn’t do it. I hadn’t heard anything about this, so I contacted the help desk, which wasn’t helpful. So, I ignored the email. As it turned out, it was a security test—and I passed! Not everyone did, because the email was fairly convincing, just as hackers have continued to become even more convincing.
After the initial audit, all staff were required to take online security training, including a practical test. Continuing, up-to-date training is necessary to keep everyone abreast of threats.
One of the most egregious network breaches in recent years occurred at a large national retailer. According to Computerworld magazine, the hack was possible because the network was not properly segmented—credit card information processed on point-of-sale terminals was not segregated from other information on the network. Anyone with network access could find other systems on the network.
Unfortunately, an outside vendor—a mechanical contractor—had access to the network. The contractor had this access to monitor HVAC systems at multiple stores and employed the free version of malware-detection software. Although the free version provides some protection, software vendors are not obligated to provide full features with up-to-date protection in their free versions. Antivirus and antimalware software should always be kept up to date.
The initial attack occurred through an email to the mechanical contractor containing malware. Once in the contractor’s system, hackers were able to access the username and password for the retailer’s system. They then uploaded malware into the retailer’s network, which contained the credit card information for millions of customers.
In another incident, a credit-reporting agency was breached through a customer complaint portal, which had a widely known vulnerability that the agency failed to patch. Once the network was accessed, hackers were able to roam around the network and access other servers. On one server, they discovered a plain text file of user names and passwords, giving them access to the personal information of millions of users.
What we have learned from these two examples is that networks must be segmented. Most of us dislike frequent password changes. However, they are far preferable to a successful network attack.
Malware on end-user computer networks has been a problem for several years. One day, I got several emails that indicated they included photos of a female celebrity. I knew immediately that the sender had been duped into clicking a link. (No, I didn’t click it.) On another occasion, my mailbox suddenly filled up with emails with the subject line “I Love You.” I didn’t know any of the senders, but I knew they were members of an organization that I was also part of. I contacted the organization and got evasive answers. After a few more questions, they admitted that they had received the ILOVEYOU virus from another organization.
Security problems are frequently discovered in operating system software and in some of the most widely used packages. When vendors become aware of weaknesses, they send out software patches or new versions to eliminate the problem. Individual users may fall behind on updates because they see numerous versions queued up and don’t want to take the time to download and install them. Many computer users rarely shut down their computers because they don’t want to wait for a slow startup. A good rule of thumb is to run the updates during a lunch break. It is also good practice to shut down a computer at the end of the work day.
Recently, a certification organization was the victim of a ransomware attack. Having maintained up-to-date backups, the organization was able to return to service without paying a ransom. However, they did have some downtime.
Public inputs have been submitted for the 2023 NEC to address the need for cybersecurity for vulnerable parts of the electrical system. It is too early to know how this will evolve. The Code has never directly addressed cybersecurity, because it hasn’t been considered an installation requirement. However, systems have never been as interconnected as they are today. It will be important to adopt safe computer practices and identify vulnerabilities that could also include customers. The details of cybersecurity will likely refer to other standards.