Reports surfaced last year of hackers who had shut down a US water supply system in what appeared to be the first successful cyberattack against US critical infrastructure (CI).
The target was a water supply control system in Springfield, Ill., the hometown of Abraham Lincoln, no less, and the alleged culprits were Russian agents who had successfully gained access to the facility’s industrial control system and destroyed a key water pump. This appeared to be a test run for a broader attack against the US water supply system, which provides clean drinking water essential to the lives of all Americans.
Media outlets had uncovered the story buried in a government document examining the reasons behind the failure of the water pump. Cybersecurity experts fell over themselves to be the first to predict the coming war against US critical infrastructure.
But it was all a big mistake. It turned out the water pump had just worn out from old age. Evidence of a Russian-based cyberattack turned out to be a US contractor vacationing in Russia who used his cellphone to do some remote troubleshooting on the Springfield-based water system.
So are the risks to critical infrastructure from hackers, terrorists, and state actors overblown, fueled by a media frenzy? Not according to a number of experts consulted by Infosecurity.
Fixing a Hole
The US government is “borderline failing” in its efforts to protect crucial infrastructure, such as the water supply system, power grid, oil and gas pipelines, and communication systems, opines Harry Sverdlove, chief technology officer at Bit9, a Massachusetts-based endpoint security provider.
Since January 2011, there have been over 50 attempted or successful intrusions against US critical infrastructure, Sverdlove notes. “There is no agreement [in the US government] as to who should be overseeing critical infrastructure protection and who should be enforcing standards against that”, he laments.
Sverdlove says there is a danger that terrorist groups or state-sponsored actors could use the code from Stuxnet – which disrupted industrial control systems running Iranian nuclear processing facilities in 2010 – to attack Western targets.
“There are now at least four variants [of Stuxnet] that have been reported in the wild, Duqu being one of them….So it is possible that a terrorist organization or rogue state could get hold of a variant and launch an offensive” against critical infrastructure in the US or Europe, he cautions.
Robin Wood, a senior security engineer with England-based vulnerability management firm RandomStorm, is also concerned about the risk posed by terrorists and state-sponsored groups to critical infrastructure. “Cyber terrorists will be constantly scanning CI to find vulnerabilities that they can exploit. Some will be going after specific targets while some will just be looking for low-hanging fruit offering soft targets that can be used for quick wins”, Wood says.
"When I look at the issue of mass disruption that could lead to loss of life, clearly at the top of that target list is the power grid" |
| Stephen Flynn, Research Institute for Homeland Security |
“I believe that if state-sponsored groups are not probing CI from both friendly and unfriendly nations, then they are not doing due diligence, as other countries are bound to be scanning them”, he adds.
One of the targets for terrorists and state-sponsored actors is likely to be the power grid, judges Stephen Flynn, co-director of the George J. Kostas Research Institute for Homeland Security at Boston-based Northeastern University.
“When I look at the issue of mass disruption that could lead to loss of life, clearly at the top of that target list is the power grid...Not only do you take out the power, but you get all of the cascading consequences – particularly if the grid is substantially damaged – on all the other sectors that rely on power”, Flynn observes.
Donald “Andy” Purdy, chief cyber strategist at Virginia-based technology firm CSC, agrees that the power grid is a tempting target for terrorists.
A cyberattack on an electricity facility, particularly a “blended attack” that involved both a cyber and physical component, could cause cascading effects throughout the power grid, similar to the effects of the August 2003 blackout of the Northeastern US and parts of Canada, Purdy notes.
That blackout, the largest in US history, resulted in the loss of power to around 55 million people in the Northeastern US and Canada, for up to 16 hours. It was caused not by a terrorist attack, but by a power surge that sparked cascading outages in eight US states and a Canadian province. It led to the shutdown of major cities – including New York, Toronto, Baltimore, and Detroit – the disruption of communication, transportation, and water supply systems, and cost the US and Canadian economies up to $8bn.
Yet, despite the blackout and considerable soul-searching by the electricity industry afterward, the power grid continues to suffer from aging equipment and poor security.
“There are a lot of legacy systems in the power grid and low margins, hence there is resistance on the part of utilities to spend money to increase cyber defenses. At the same time, there is a desire to save money and increase convenience by increasing the connectivity of the systems. So it is an obvious area where there are vulnerabilities”, Purdy observes.
Money (That’s What I Want)
While Purdy acknowledges that the power grid is an attractive target, he believes that the financial sector is more vulnerable. An attack on that sector, he says, would be much more disruptive and could undermine public confidence in the economy.
Rick “Ozzie” Nelson, director of the Homeland Security and Counterterrorism Program at the Washington, DC-based Center for Strategic and International Studies, shares Purdy’s concern about an attack on the financial sector.
Nelson expressed his worries that hackers could gain access to account information of a major bank and release it to the public. “A release like that has the ability to undermine major financial players and the US economy”, he concurs.
The proliferation of smartphones and their use in mobile banking has created millions of vulnerability points for the banking system, Nelson notes. “Smartphones are very vulnerable systems, and when individuals are accessing those accounts remotely, they are very vulnerable to exploitation”, he adds. “Once a hacker gets into the system through one of those nodes, he or she can wreak havoc to [an] economy.”
Greg Jones, director at London-based information security firm Digital Assurance, judges that the most exposed critical infrastructure sector in the UK is the financial system. “An attack against the finance sector isn’t easily fixed because it affects confidence...It could undermine confidence to the extent that the effects could be felt for a long time”, he says.
“If you think about the stock exchange in London, they are constantly pushing out market-sensitive information guiding and steering billions of pounds worth of investment every second of every day…If you consider an advanced attack, where one is modifying the content of that information, [it] could potentially have a very significant effect on the trades that are made by those systems….and that could cause a huge amount of damage and a loss of confidence, which would effect the markets quite severely”, Jones warns.
Come Together
Experts on both sides of the Atlantic agree that public-private partnerships and information sharing about threats and vulnerabilities between the government and industry are among the best tools to improve the cyber defenses of critical infrastructure, given that the vast majority of that infrastructure is owned by the private sector.
“Public-private partnerships are critical. Their most pressing challenge is expanding awareness and trying to get better at sharing the latest threat information faster, so that a problem in one area is known by everyone else”, comments Ed Savage, cybersecurity expert with London-based PA Consulting Group.
Savage noted that a few years ago the UK government set up the Centre for the Protection of National Infrastructure (CPNI) to provide cybersecurity information, advice, and expertise to industry through industry-specific groups. “Those networks of information sharing work very well indeed. As a result, the general level of awareness and approach is pretty good”, he asserts.
Sharing information between government and the private sector can be challenging at times, Savage admits. “There is a high sensitivity in sharing that information and a high degree of trust is needed to make that work”, he says.
CPNI has an advisory role in improving the security of privately owned infrastructure, Jones points out. “Although their role is only advisory, they are listened to closely by security managers at various private organizations….Their remit is to liaise between the government and private organizations that are responsible for critical national infrastructure”, he adds.
Henry Harrison, technical director at Surrey, England-based Detica, says that the UK government has worked very closely for some time with UK businesses around critical infrastructure protection in cyberspace, as well as in the physical world.
“It is absolutely central to critical infrastructure protection that there should be public-private partnerships”, he says. “The private sector has to be involved because they run the infrastructure and they will have to actually do things to deal with the threat.”
The same is true in the US, Purdy confirms. He noted that the Department of Homeland Security has set up a number of public-private industry groups under its National Infrastructure Protection Plan to improve the security of critical infrastructure.
“It is essential to have public-private partnerships on an ongoing basis assessing the risk, prioritizing risk mitigation, and trying to improve the way the public and private sectors work together to detect, analyze, and respond to threats and recover from attacks”, he contends.
Hard Day’s Night
So what does the future hold in terms of critical infrastructure protection? It seems that governments and industry are finally taking the threat of cyberattack seriously. Perhaps the wake up call came with the apparent success of Stuxnet, which demonstrated that a cyberattack could, in fact, disrupt a critical infrastructure facility.
Stuxnet also provided a digital blueprint for how to carry out such an attack, a blueprint that terrorist groups and other rogue actors can use against the critical infrastructure of industrialized economies.
Western governments have teamed with private industry to plug the security gaps in critical infrastructure that for so long have been neglected. Two of their favored strategies are public-private partnerships and information sharing. But will these be enough to prevent a determined adversary from causing catastrophic failure of the infrastructure that makes modern life possible?
The industrialized countries must be ever-vigilant because adversaries – whether hacktivists, terrorists, state-sponsored actors, or any combination of these – only have to find one weakness in the billions of connected nodes that make up the critical infrastructure networks.