Douglas Torres, Professor of Universidad Central de Venezuela
Douglas Torres is a Dr. in Engineering Sciences, Universidad Central de Venezuela (UCV) and Dr. in Security and Comprehensive Development, Universidad Politécnica de la Fuerza Armada Nacional (UNEFA). His research interests include network security and network defense and artificial neural networks. His recent research includes cybersecurity and Cyber Defense in Venezuela: an Approach from soft Systems Methodology and a Comparative Study of Evaluating the reliability of complex Networks using Rules Derived from different Machine learning approaches.
As a global concern, cyber security is crucial to national development and security. In the past period of time, many countries and regions have been attacked by network security, causing a certain bad impact. How should the country deal with possible cyber security problems in the future? How to integrate network security activities with other areas? In response to these questions, the Center interviewed Dr. Douglas Torres for his insights on network security issues.
inkedIn profile: https://www.linkedin.com/in/dougtd/
Network security is an interactive and cyclic human activities system
1. In your "Cyber security and cyber defense for Venezuela: an approach from the Soft Systems Methodology" article, you mentioned that Venezuela's oil industry is vulnerable to attack. What do you think are the reasons for this?
The oil industry has been the fundamental economic activity in Venezuela for over a century, also, it was one of the first oil industries in the world. This is where the concern explained in the paper [1] arises from, as it is of great importance for Venezuela to have cybersecurity schemes that are robust enough for the interconnected world we live in.
In 2021, Venezuela’s oil production fell to the same numbers it was 80 years ago. A monthly report of the oil market from OPEP (May 2021) indicates that according to sources, Venezuela’s oil production during April 2021 was about 445 thousand barrels per day (BPD) [2]. According to Reuters in May 2021 [3], Venezuela’s oil exports fell to 593.550 BPD. Around 75% of these exports were destined to Asia.
In my paper, I state that cybersecurity must be handled as a human activities system where all technological processes and all the people involved in them must converge in continuous interaction cycles. Always respecting the integrity of the data and information from the citizens, companies, and governments. In other words, a secure and reliable cyberspace for us all.
In April 2018 [4], it became known that the servers of the Commercial and Supplies department of PDVSA have been hacked for years and all of his informatic activities were exploited by a PDVSA client, who aside from participating in bids for PDVSA products using privileged information, also sold this information to other PDVSA clients. In short, Venezuela’s main industry had systems with vulnerabilities for years without being detected. This serves as proof of the concerns raised in my research. As a Venezuelan, I hope PDVSA and the country get back to the efficiency levels proven in the past.
2. What is your view on recent hacker attacks upon US fuel pipelines and what are the policy implications for other countries?
My academic activity advocates the deep respect and the promotion of the legality of the activities carried out in cyberspace. Therefore, it is criminal and reprehensible to carry out this type of activity that undermines critical infrastructure services.
The lessons learned from these situations for all countries should be the strengthening of information security processes, mainly in areas that are vital for the correct functioning of society. These facts confirm the approach that we have proposed for years: transcending from a data protection perspective towards permanent, continuous management of risks, threats, and cybersecurity.
The United States has taken concrete steps to counter this situation. On May 12, 2021, the White House issued an executive order [5] that establishes, among other aspects, the obligation to notify cyber incidents, even when the contractors or agencies are not from the defense area.
Then on May 27, 2021, the Department of Homeland Security [6] announced a specific Security Directive for the protection of oil pipelines and hydrocarbon and refined transportation systems and established the obligation of the private sector to communicate to state entities, when such incidents occur. This directive complements the previous Executive Order.
The political implications of this situation must be learning, cybernetic reinforcement of critical service infrastructures, and cooperation between all countries, to avoid and/or minimize these situations in the future.
3. You mentioned in your article that the United States does not have adequate resourced to combat cybereconomic crimes. Are there any correlation between the attack on their fuel pipeline and the lack of resources?
No, I indicate that all countries should strengthen their technological and human processes to allow better cybersecurity processes for their operations in cyberspace. This requires financial effort. It is an investment, where the benefits outweigh the expenses. Making the administrative systems of an oil pipeline system in any country unusable due to a cyber attack, as well as intervening cybernetically in any other critical activity, in addition to being an unacceptable and reprehensible activity, generates an enormous economic, political and social cost.
The United States has recognized that there has been a lack of coordination and communication between the private sector and the various agencies with responsibility in the cyber area. After the attack on Colonial Pipeline, they discovered that service contractors not linked to the defense area were not required to report their cyber incidents. This is very delicate since critical area services transcend the military and the defensive aspects of any government, and that is what I have insisted on in this, and in previous works.
According to estimates [7], more than 80% of critical infrastructure in the US is owned and operated by the private sector, which requires greater coordination with federal entities to comply with strict security protocols, and until the attack on Pipeline, in some cases, these coordination protocols were not established.
The cybernetic securitization of all activities must be continuous, in favor of safe and reliable activities in cyberspace. This applies to all actors: citizens, private sector, and government, regardless of the country.
4. What do you think this incident reveals about the vulnerabilities in U.S. cyber security?
Three cyberattacks have profoundly impacted the United States in recent months:
1. The Microsoft-Exchange mail servers hack [8]
2. The Solarwinds hack [9]
3. The ransomware attack against Colonial Pipeline systems with the paralysis of its operational activities. [10]
The first two attacks affected government institutions, technology companies, and private companies. The last one affected the largest transportation network of oil and its derivatives through pipelines in the east of the United States, with a negative impact on public opinion because of the shortage of refined oil products along the east coast of the United States.
The first two events required the Biden administration to formulate its first cybersecurity-oriented Executive Order [5]. The third incident confirmed that the first executive order was insufficient and prompted a Security Directive from the Department of Homeland Security and the Transportation Security Administration [6], with more specific guidance to counter threats to companies in the pipeline sector.
According to the cybersecurity consulting firm Emisoft [11], 2020 was an unprecedented year for cybercriminals due to their operations in the United States. In its annual report, it indicates 2,354 cyber incidents, between government entities (at all levels), health, and educational sectors, with significant economic losses.
Subsequently, this company specified that in 2020 there were more than 15,000 cyber incidents against US organizations with losses estimated between USD 596 and USD 2.3 billion due to payment of ransoms and loss of productivity [12]
But two other cyber incidents in this year 2021, also worry the cybernetic authorities of the USA: a) The incident at the water supply plant in Oldsmar, Florida where there was a breach that allowed external access to the control systems [13] [14] and b) The cyberattack on the administrative systems of one of the largest food companies in the world and meat producer JBS USA [15]
The Director of the FBI indicates that these attacks have parallels with the attacks of September 11, 2001, with implications for national security, since they have evidenced vulnerabilities in critical infrastructure [16]. These incidents and cyberattacks have demonstrated vulnerabilities, threats and risks, but the United States is strengthening its operational regulations in order to increase its cybersecurity standards.
References
[1] Cybersecurity and Cyber defense for Venezuela: an approach from the Soft Systems Methodology.
https://link.springer.com/article/10.1007/s40747-018-0068-x
[2] Organization of the Petroleum Exporting Countries. Monthly Oil Market Report - May 2021
https://momr.opec.org/pdf-download/
[3] Exportaciones petroleras de Venezuela cayeron en mayo por fallas y falta de diluyentes -datos
https://www.reuters.com/article/venezuela-petroleo-exportaciones-idESKCN2DD4ES
[4] How the ‘Nerd’ Helped Rig Oil Auctions for Years
https://www.bloomberg.com/news/articles/2018-04-04/rigged-by-the-nerd-oil-auctions-said-to-spew-years-of-profits
[5 ] Executive Order on Improving the Nation’s Cybersecurity. May 12, 2021
https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
[6] DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators
https://www.dhs.gov/news/2021/05/27/dhs-announces-new-cybersecurity-requirements-critical-pipeline-owners-and-operators
[7] ‘Mandatory’ Cyber Info Sharing Bill Coming, Says Senate Intel Chair Warner
https://breakingdefense.com/2021/04/mandatory-cyber-info-sharing-bill-coming-says-senate-intel-chair-warner/
[8] More than 20,000 U.S. organizations compromised through Microsoft flaw
https://www.reuters.com/article/us-usa-cyber-microsoft/more-than-20000-u-s-organizations-compromised-through-microsoft-flaw-idUSKBN2AX23U
[9] Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
[10] Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom
https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom
[11] The State of Ransomware in the US: Report and Statistics 2020
https://blog.emsisoft.com/en/37314/the-state-of-ransomware-in-the-us-report-and-statistics-2020/
[ 12 ] FBI director sees 'parallels' between challenge posed by ransomware attacks and 9/11
https://edition.cnn.com/2021/06/04/politics/christopher-wray-cyberattacks-9-11/index.html
[13] Hackers tampered with a water treatment facility in Florida by changing chemical levels
https://www.theverge.com/2021/2/8/22273170/hackers-water-treatment-facility-florida-hacked-chemical-levels-changed
[14] Someone tried to poison Oldsmar’s water supply during hack, sheriff says
https://www.tampabay.com/news/pinellas/2021/02/08/someone-tried-to-poison-oldsmars-water-supply-during-hack-sheriff-says/
[ 15] A major meat producer was hacked. Here's what you need to know
https://edition.cnn.com/2021/06/02/business/beef-hack-jbs/index.html
[16] FBI Director Compares Ransomware Challenge to 9/11
https://www.wsj.com/articles/fbi-director-compares-ransomware-challenge-to-9-11-11622799003
Editor Assistant Research Fellow: Xianglin Gu
Comentários