Dyson College of Arts and Sciences

Later that year in July 2013, South Korea became the target of a sustained cyber- attack that paralyzed 60 web sites, including the presidential office and local media companies, on the 63rd anniversary of the outbreak of the 1950-53 Korean War. The profile of the attacks was similar to those that the nation withstood in June, when major web sites in North Korea were attacked; each blamed the other for the attacks. 35 Finally, in December 2014, a German report detailed how hackers struck against an unnamed German mill inside that nation. The attack caused the unauthorized manipulation and disrupting on control systems to such a degree that a blast furnace could not be shut down properly, resulting in 'massive', though unspecified, damage. 36 This marks the 2nd time in history (behind Stuxnet) that cyber-attacks resulted in real physical damage, likely starting a new period of cyber intrusive activity that will be driven by national governments' efforts to ascertain the vulnerabilities extant in critical national infrastructural components of their enemies. Where We Should Go From Here The applicability of the 20 critical security controls is timely, and may provide an enormous deterrent to thwart future attacks, which are bound to occur. This is especially true since industrial control systems have been found to contain numerous vulnerabilities that may be exploited from anywhere that an Internet connection can be made and, like their counterparts in the banking sector (especially in the U.S.), they have far to go before they successfully lock-down their systems to defend against intruders' activities. But prevention will have an impact and the controls themselves are an excellent remedy for the short-term, even though implementing them will take several years of effort and countless millions of dollars' worth of labor to achieve. In a recent interview with Bloomberg media firm, Frank Abagnale (the former con artist made famous by the movie 'Catch Me If You Can'), said "Technology breeds crime–always has, always will". He went on, "in five years, it'll be possible to control things like pacemakers and car brakes from thousands of miles away, whereas today you have to be within 35 feet" [author: approximate Bluetooth range]. 37 Programs like the Reliability Assurance Initiative at the North American Electric Reliability Corporation (NERC) are a good start to assess the various risk factors and related management practices that apply to the detection, assessment, mitigation, and reporting of noncompliance. 38 Another successful program is the ongoing strategic relationship between the U.S. government and U.S. Private Industry, collectively known as the Domestic Security Alliance Council (DSAC)). Its goal is the advancement of the FBI's mission of preventing, detecting, and deterring criminal acts by facilitating strong, enduring relationships among its private industry members, FBI headquarters, FBI Field Offices, Department of Homeland Security (DHS) Headquarters and Fusion Centers, and other Federal Government entities. At the individual State level, the Multi-State Information Sharing & Analysis Center (MS-ISAC) is the focal point for threat protection, prevention, response and recovery for the nation's state, local, tribal, and territorial governments. The MS-ISAC 24x7 cyber security operations center provide real-time network monitoring, early cyber threat warnings and advisories, vulnerability identification and mitigation and incident response. 39 71

• Cover