IT security firm Mcafee’s recent protection report In the Dark: Crucial Industries Confront Cyberattacks [PDF] highlights the ever growing threat of digital attacks on the nation’s core infrastructure systems.
At one time, proprietary and locally controlled computers were responsible for monitoring and maintaining everything from electricity distribution to water treatment. But, as companies look to reduce costs and simplify command and control operations, critical infrastructure systems are being connected directly to the internet, making it much easier and much more likely that they could be attacked by foreign governments, hackers, or criminals.
This year, in a sequel report, we focused on the critical civilian infrastructure that depends most heavily on industrial control systems. As with the first report, we used survey data, research, and interviews to obtain a detailed picture of cyber risks in these sectors. The sectors on which this report focuses — power, oil, gas, and water — may well be the first targets for a serious cyberattack.
What we found is that they are not ready. The professionals charged with protecting these systems report that the threat has accelerated — but the response has not. Cyberexploits and attacks are already widespread. Whether it is cybercriminals engaged in theft or extortion, or foreign governments preparing sophisticated exploits like Stuxnet, cyberattackers have targeted critical infrastructure.
We found accelerating threats and vulnerabilities. For the second year in a row, IT executives in the critical infrastructure sector told us that they perceive a real and growing cyberthreat. Denialof- service attacks on energy networks increased. Extortion attempts were also more frequent in the CIP sectors. And hostile government infiltration of their networks achieved staggering levels of success.
Despite these vulnerabilities, many power companies are doubling down on the danger; they are implementing “smart grid” technologies that give their IT systems more control over the delivery of power to individual customers — or even to individual appliances in customers’ homes. Without better security, this increased control can fall into the hands of criminals or “hacktivists,” giving them the ability to modify billing information and perhaps even control which customers or appliances get electricity. But security is not a priority for smart grid designers; according to Woolsey, who two years ago chaired a group that published a report for the Department of Defense on grid vulnerabilities. Ninety to ninety-five percent of the people working on the smart grid are not concerned about security and only see it as a last box they have to check.
One of the more startling results of our research is the discovery of the constant probing and assault faced by these crucial utility networks. Some electric companies report thousands of probes every month. Our survey data lend support to anecdotal reporting that militaries in several countries have done reconnaissance and planning for cyberattacks on other nations’ power grids, mapping the underlying network infrastructure and locating vulnerabilities for future attack.
More than 40 percent of the executives we interviewed expect a major cyberattack within 12 months — an attack, that is, that causes severe loss of services for at least 24 hours, a loss of life or personal injury, or the failure of a company.
Up until a couple years ago, the threat of total infrastructure failure existed only in the sphere of science fiction. Recently, however, the vulnerabilities of the physical hardware on power grids, water utility grids and other important infrastructure elements were made perfectly clear with the spread of the Stuxnet virus, which wrecked havoc on Iranian nuclear facilities. The virus, often referred to as malware, literally destroyed the physical centrifuges responsible for the enrichment of uranium by forcing them to spin out of control. All the while monitoring stations reported perfectly normal conditions.
The scary thing? Stuxnet isn’t isolated to just Iranian nuclear facilities:
Our data indicates that the Stuxnet virus did indeed have a global reach. Around 40 percent of respondents found Stuxnet on their computer systems. Stuxnet was more likely to appear in the electricity sector, where 46 percent of respondents found the malware.
Stuxnet was an extraordinary advance in sophistication over the kinds of malware used by the criminal underground. The Belarusian security firm that initially identified Stuxnet at first believed it to be a backdoor for hackers. But closer inspection revealed the complex nature of the virus. It features multiple exploits that were previously unknown, has Microsoft Windows driver modules that had been signed using genuine cryptographic certificates stolen from respectable companies, contains about 4,000 functions, and uses advanced anti-analysis techniques to render reverse engineering difficult. It is almost certainly the work of a government, not a criminal gang.
In fact, Stuxnet was the work of a government – reportedly two of them. It is believed that intelligence agencies within the United States and Israel are responsible for its conception.
What this shows is that advanced computer scripts and malware target not just personal computers, but highly advanced, purportedly secure critical systems. Those who would attack the nation’s infrastructure could bring these systems down for not just 24 hours using traditional denial-of-service attacks, but potentially weeks and months by executing programs that directly attack the grid’s hardware .
Imagine, for a moment, what such an attack on our water utility plants might look like. While water safety conditions monitored by engineers on remote computer systems attached to the internet might look perfectly normal on the surface, a malicious virus may be at work behind the scenes, controlling the delivery (or lack thereof) of water treatment chemicals into an entire city or region’s water supply.
A similar attack could occur on the electrical grid, sending surges to vital transformers across the nation. Because many of our systems are decades’ old, they could be overwhelmed, much like Iran’s Siemens-built centrifuges. In such a scenario, because of the lack of availability of the damaged equipment and the sheer size of such a widespread attack, it could take weeks or months to repair.
There are roughly 150 oil refineries in the United States, and most of them are likely running on similar hardware, from well known industry manufacturers. Is it that much of a stretch to consider the possibility that a coordinated attack on these systems could send pressure and a host of other control mechanisms in our refineries out of control – all the while engineers monitoring the systems notice nothing out of the ordinary? Such an attack, even if partially successful, could cripple the entire country.
As infrastructure is further centralized, our exposure to potentially catastrophic events continues to increase. Not only is much of our nation’s infrastructure hardware outdated, but the security on newly integrated 21st century smart-grids is lax at best.
We’ve seen coordinated attacks on our stock trading systems. We’ve seen that high security nuclear control systems can be compromised. We know that governments, cyber criminal extortion gangs, hackers and shadow intelligence agencies are actively working on viruses, malware and gaming scenarios designed specifically to crush utility infrastructures on a national scale.
The threat is real. It is present. If such an attack were ever executed there will be nothing emergency responders could do, especially in the case of a widespread, coordinated onslaught of the grid.