Two hackers from Irvine gained access in April to the air conditioning and water systems of a Google Inc. office in Sydney, Australia.
Because Google had failed to install a security patch to a software program that remotely tracks and controls building systems, the hackers could have easily raised the office's temperature to an unbearable level or caused water pipes to burst by increasing pressure.
Luckily for Google, the hackers were working for Cylance Inc., an Irvine company that has been grabbing headlines for uncovering security holes that could allow malicious hackers to do serious damage to crucial infrastructure such as hospitals, oil pipelines and banking systems.
The hacking demonstrations are how the company (pronounced as "silence") showcases its work in developing what it says is the ultimate anti-virus warrior.
"We want to help avoid the cyber-Sept. 11," Chief Executive Stuart McClure said. "We have to silently protect — it's in our name."
The 1-year-old start-up says many facilities now use devices and companion software that are just as vulnerable as those used at several Google locations and in more ordinary local office spaces. In Los Angeles, hotels, USC classrooms and a major movie studio run the same computer program online as Google's Wharf 7 facility in Sydney.
The company is hoping to tap a burgeoning market. Worldwide spending on cyber security should reach $46 billion this year in crucial industries such as energy, communications, finance, healthcare and transportation, according to an ABI Research report released in June.
In the six months that ended May 31, federal officials noted more than 200 attacks on crucial infrastructure. The previous 12 months saw 198 incidents.
Congress remains divided about whether to make cyber-security standards mandatory for crucial infrastructure operators. Analysts have called for more research, development and regulation — areas in which Cylance wants to lead. The company hopes to turn half of the most-crucial Fortune 1,000 companies into customers by 2015.
The start-up has received at least $15 million in venture capital. And as one of the few cyber-security firms in Southern California, Cylance has an easier time recruiting top talent than Silicon Valley cyber-security start-ups.
The company's main service is helping companies find vulnerabilities and attackers. McClure, who previously worked at popular anti-virus software maker McAfee Inc., said that in two-thirds of cases, a company already has an intruder lurking in its computer network.
"We're looking for flaws through a bad guy's glasses, exposing that dark and visible world, and looking for the bad guys and any other undesirables who might be there," he said.
Dozens of firms offer similar security services, but McClure says his company is focused on creating an artificial intelligence system capable of blocking future threats.
Typically, firewall or anti-virus software can stop only those intruders who have been seen before. Cylance's mission is like creating a vaccine for a virus that doesn't exist yet or using facial recognition to nab a future robber who hasn't even been born.
"We're using artificial intelligence to understand what's good and bad in real time and devising a model to predict what's good and bad in the future," McClure said.
The machine is fed with intelligence from its researchers.
In May, Rios and colleague Terry McCorkle publicly revealed the Google incident with permission from the technology giant. Rios, who once worked for Google's security team, says Cylance is finding new problems every week.
Badge readers, security cameras and anything else loosely connected to the Internet can be an entrance for hackers. The systems weren't necessarily designed to be Internet-facing, and they've become a blind spot for organizations. Rios said the best solution is placing the devices within a virtual private network, a slice of the Internet accessible to only credentialed users.
"I don't want to be in a building that doesn't like me," Rios said. "Even a simple thing like turning off the air conditioning could be really disruptive to a business."
At least one business and one government facility have seen minor disruptions, according to federal authorities.
A month earlier, Rios and McCorkle had notified the U.S. Department of Homeland Security that about 300 medical devices from 40 vendors had a flaw that would allow a hacker to change crucial settings. Ventilators, drug pumps, patient monitors and external defibrillators were among the affected devices.
Getting the devices patched could take months because medical facilities often don't own them. An employee of the manufacturer must come on site to update tools.
On Cylance's blog, the pair of researchers called on the Food and Drug Administration to require stronger security measures in medical devices. One solution would lessen the chances that a hacker could tamper with a tool without a medical practitioner noticing. They noted that the iPhone, Xbox and Wii already have the security measure, which applies a digital signature to the core of the program.
Cylance says that other crucial devices, such as pumps and pressure gauges at oil fields, lack strong security.
Hackers "could leverage that to melt down chips and make them explode, to bring down pipelines and destroy physical equipment," McClure said.
His research team isn't enough to prevent attacks, McClure says. The company has about 60 employees, but McClure doubts it would grow beyond 200. It's turning to everyday consumers to fill its cyber threat monitoring system with more knowledge.
Cylance recently released a free program for Windows computers called PrivateDetect. Like a virus scan, PrivateDetect looks for malicious files and programs and quarantines them. The company, meanwhile, gets more data to feed into the anti-virus machine.
"Too much of the technology built today is so easily bypassed," McClure said. "We want to shift the balance of power to the favor of the good players."