During a particularly harsh winter, a group of hacktivists spreads panic by bringing down the US power grid. Millions of homes and businesses are plunged into darkness, communications are cut, banks go offline, hospitals close and air traffic is grounded.
Such a scenario sounds apocalyptic, but it is a realistic threat, according to Idan Udi Edry, CEO at Nation-E, a provider of cybersecurity solutions that allow customers to connect their infrastructure to the Internet safely.
Critical infrastructure, like power generation and distribution, is becoming more complex and reliant on networks of connected devices. Just decades ago, power grids and other critical infrastructure operated in isolation. Now they are far more interconnected, both in terms of geography and across sectors.
As the US power grid scenario highlights, the failure of one critical infrastructure could result in a devastating chain reaction, says Edry.
Unsurprisingly, the vulnerability of critical infrastructure to cyberattacks and technical failures has become a big concern. And fears have been given credence by recent events.
In December 2015, the world witnessed the first known power outage caused by a malicious cyberattack. Three utilities companies in Ukraine were hit by BlackEnergy malware, leaving hundreds of thousands of homes without electricity for six hours.
According to cybersecurity firm Trend Micro, the malware targeted the utility firms’ Scada (supervisory control and data acquisition) systems and probably began with a phishing attack.
The blackout was followed two months later by the news that the Israel National Electricity Authority had suffered a major cyberattack, although damage was mitigated after the Israel Electricity Corporation shut down systems to prevent the spread of a virus.
The energy sector is one of the main targets of cyberattacks against critical infrastructure, but it is not the only one. Transport, public sector services, telecommunications and critical manufacturing industries are also vulnerable.
In 2013, Iranian hackers breached the Bowman Avenue Dam in New York and gained control of the floodgates. Oil rigs, ships, satellites, airliners, airport and port systems are all thought to be vulnerable, and media reports suggest that breaches have occurred.
Cyberattacks against critical infrastructure and key manufacturing industries have increased, according to US cybersecurity officials at Industrial Control Systems Cyber Emergency Response Team (ICS-Cert), the US government body that helps companies investigate attacks against ICS and corporate networks.
It reported a 20% increase in cyber investigations in 2015, and a doubling of attacks against US critical manufacturing.
Over the years, a wide range of sectors have become more reliant on industrial control systems — such as Scada, programmable logic controllers (PLC) and distributed control systems — for monitoring processes and controlling physical devices, such as pumps, valves, motors and sensors.
The most high-profile example of a cyberattack against critical infrastructure is the Stuxnet computer virus. The worm, which targeted PLCs, disrupted the Iranian nuclear program by damaging centrifuges used to separate nuclear material.
The incident caused concern because Stuxnet could be adapted to attack the Scada systems used by many critical infrastructure and manufacturing industries in Europe and the US.
In one of the only public examples of a Scada attack, a German steel mill suffered major damage after a cyberattack forced the shutdown of a furnace, the German Federal Office for Information Security reported in 2014. The attackers used social engineering techniques to gain control of the blast furnace systems.
Cyberattacks against critical infrastructure and manufacturing are more likely to target industrial control systems than steal data, according to the Organisation of American States and Trend Micro.
Their research found that 54% of the 500 US critical infrastructure suppliers surveyed had reported attempts to control systems, while 40% had experienced attempts to shut down systems. Over half said that they had noticed an increase in attacks, while three-quarters believed that those attacks were becoming more sophisticated.
According to Edry, hackers are becoming much more interested in operational technology, the physical connected devices that support industrial processes. “The vulnerability and lack of knowledge of operational technology is the most dangerous thing today,” he says.
As an example, he cites a cyberattack against a New York City office block in which a hacker accessed the building management systems — which can control power, communications, security and environmental systems — via a connected vending machine. The building shutdown resulted in estimated damage of US$350m from lost business, he says.
However, the security of industrial control systems and connected devices has fallen behind that of IT systems. Many of the connected devices used by industry are based on serial communication technology — which Edry likens to the beeps and squeals associated with the old-style Internet dial-up.
Edry believes that operational technology is a vulnerable and poorly protected element of cybersecurity. While IT infrastructure has given rise to an army of cybersecurity consultants, products and services, industrial control systems by comparison are not well served, he says.
The problem is not about to go away. In fact, cyberattacks against physical operating technology look set to increase with the growing use of connected devices.
Internet of things
For example, the convergence of the digital and physical worlds is set to accelerate with the “Internet of things” (IoT), which will see more and more everyday devices embedded with electronics that collect information and connect to a network.
Consumer devices are increasingly becoming connected — such as wearable technology, smart devices, domestic appliances and children’s toys. So, too, are our homes and cars.
According to Edry, growing digitalisation and IoT could create a perfect cybersecurity storm.
He notes that, where a company would once have control over its systems, physical networks and servers, the trend has been to run devices, software and data through virtual networks, such as cloud computing. “Even the network is now off the network,” he says.
Confidence in data and systems security is key if society is to benefit from the potential efficiencies that IoT can bring. And public confidence is just as important for the Scada systems that keep aircraft in the air as it is for the IT platforms that underpin mobile banking.
For example, in the past year a number of airlines have suffered from technical issues and cyberattacks that erode consumer confidence.
Polish national airline LOT grounded planes in June 2015 after its flight plan system was disabled by hackers in a distributed denial of service attack. Weeks later, in July, United Airlines grounded its fleet after suffering a technical fault.
“The digital age is here. We can’t prevent it. It is becoming part of us. But we see news headlines of breach after breach. We are losing our confidence in the digital age,” says Edry.
He believes that more needs to be done to deter cyber criminals, and to protect operational technology.
The cost of creating a successful attack is small for cyber criminals, which is why there are now so many attacks, explains Edry.
“We have seen that as the cost of launching a successful attack has gone down, the number of attacks has risen. So we need to develop technology to increase the cost of successful attacks,” says Edry.
“We can’t stop 100% of attacks, but we can create technology to increase the cost so that the hacker says: ‘I don’t want to deal with this organization as it will cost me a lot of time and computer resource,” he says.
“If we can prevent the damage, it will incentivise insurers to offer higher limits and give customers more incentive to buy.”
- This article was originally published in financial services group Allianz’s Global Risk Dialogue magazine