Modernizing Authentication — What It Takes to Transform Secure Access
At 11:42pm on April 7, all 156 sirens across the city of Dallas, Texas were activated by hackers, and it wasn't until 1:17am that the city's Office of Emergency Management was able to turn them off.
While the sirens were going off, the Dallas Office of Emergency Management tweeted, "System malfunction with City of Dallas siren system. Crews working to fix. No emergency. Please do NOT call 911. Thank you."
"We had people asking if we were being attacked because of what's going on overseas," a city spokeswoman told the Houston Chronicle.
The following day, the City of Dallas published a press release saying, "We can state at this time that the City's siren system was hacked Friday night. For security reasons, we cannot discuss the details of how this was done, but we do believe that the hack came from the Dallas area."https://l1.cdn.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
According to the Dallas Observer, Dallas City Manager T.C. Broadnax said the attack was launched via radio frequency, not online. "Our system is not software related and on a computer," he said. "It's a radio system."
Still, city officials separately told the Chronicle that the attacker had gained physical access to a hub connecting all the sirens.
Broadnax refused to provide details on how the hack occured, saying he didn't want to help someone else try to replicate the attack. Still, he said, "The fixes that we put in place this weekend safeguard the system. We do not expect any further inrusions, specifically of this nature, based on what we've done."
Yesterday, Broadnax issued a separate statement saying, "In addition to the city siren system, I have begun the process of looking at critical systems citywide to examine what, if any vulnerabilities may exist. These include the water system, radio network, 911/311, police-fire dispatch, flood warning system, financial systems, etc. We will come back to Council on Wednesday with an action item and a plan to move foward with these assessments."
Carbon Black national security strategist Eric O'Neill told eSecurity Planet by email that as more and more devices become connected to the global communications network, the risk of disruption by cyber attackers inevitably increases.
"Compromising an emergency siren may seem like mischief, but these sorts of attacks can also erode the public's trust in emergency services," O'Neill said. "If normal operations are disrupted by cyber attackers, then when a true emergency occurs, the public may ignore the warnings."
"Attacks against our critical infrastructure no longer require physical access or kinetic explosives," he added. "In a time when everything is connected, everything can be compromised."
A recent survey of 442 federal leaders, conducted by the Government Business Council on behalf of Brocade, found that 60 percent of respondents said security is more important than stability, accuracy or speed in the devices and sensors their agency uses to transmit data, and 89 percent said it's very or extremely important to secure devices operating at the edge.
Still, 58 percent of respondents said they're just somewhat, not very, or not at all confident about the security of their edge devices.
Key challenges in providing that security include limited funding (39 percent), inadequate procurement processes (39 percent), a shortage of technical expertise (30 percent), and inability to adapt to new threats (23 percent).
What asked which threats to IoT devices concern them the most, cyber terrorism led the responses at 43 percent, followed by nuisance hackers (36 percent), proxy attacks (30 percent) DDoS attacks (26 percent) and organized crime (21 percent).
However, 48 percent of respondents don't know how their agency plans to secure its IoT in the near future.
"The IoT's rapid growth demands that agencies invest upfront in security," the report states. "While it may be expedient to bolt on security for devices already in use, this is neither sustainable nor cost-efficient in the long term. Instead, agencies should prioritize security at the earliest stages of development, communicating basic IoT threat awareness to employees and investing in encryption and automation."