Despite the fact that cyber-attacks occur with greater frequency and
intensity around the world, many either go unreported or are underreported,
leaving the public with a false sense of security about the threat they pose
and the lives and property they impact.
While governments, businesses, and individuals are all being targeted on an
exponential basis, infrastructure is becoming a target of choice among both
individual and state-sponsored cyber-attackers, who recognize the value of
disrupting security systems that were previously thought of as impenetrable.
This has served to demonstrate just how vulnerable cities, states, and
countries have become and the growing importance of achieving global risk
agility in the face of such a threat.
From Russia with Love
In December 2015, a presumed Russian cyber-attacker successfully seized
control of the Prykarpattyaoblenergo Control Center (PCC) in the
Ivano-Frankivsk region of Western Ukraine, leaving 230,000 people without power
for up to 6 hours. This marked the first time that a cyber-weapon was
successfully used against a nation's power grid. The attackers were skilled
strategists who carefully planned their assault over many months, first doing
reconnaissance to study the networks and siphon operator credentials, then
launching a synchronized assault in a well-choreographed dance. The control
systems in Ukraine were surprisingly more secure than some in the United
States, since they were well-segmented from the control center business
networks with robust firewalls,1 emphasizing just
how vulnerable power systems are globally.
The PCC operated a common form of industrial control system known as a
supervisory control and data acquisition (SCADA) system, which allows for
remote controlling and monitoring of industrial processes—in this case, the
distribution of electricity. The attackers overwrote firmware on critical
devices at 16 substations, leaving them unresponsive to any remote commands
from operators,2 effectively leaving plant
operators blind.
It now seems clear, given the degree of sophistication of the intrusion,
that the attackers could have rendered the system permanently inoperable. The
fact that they did not leads some in Ukraine to speculate that the attack was a
message from Russia not to pursue pending power plant nationalization
legislation, since some of those plants are owned by a powerful Russian
oligarch with close ties to President Vladimir Putin.
Cats and Mice
The Ukraine example was hardly the first cyber-attack on a SCADA system.
Perhaps the best known previous example occurred in 2003, though at the time,
it was publicly attributed to a downed power line rather than a cyber-attack
(the US government had decided that the "public" was not yet prepared
to learn about such cyber-attacks). The Northeast (US) blackout that year
caused 11 deaths and an estimated $6 billion in economic damages, having
disrupted power over a wide area for at least 2 days. Never before (or since)
had a "downed power line" apparently resulted in such a devastating
impact. Subsequent to that attack, SCADA attacks occurred in the United
Kingdom, Italy, and Malta, among others.3 According
to the 2015 "Dell Security Annual Threat Report," cyber-attacks
against SCADA systems doubled in 2014 to more than 160,000.
Cyber-attacks are difficult to prevent, given the relative ease with which
hackers can find a single system vulnerability and the impossibility of
plugging every conceivable security hole. Cyber-security professionals are, in
essence, playing an endless game of cat and mouse, whereby a would-be attacker
attempts to enter a system while security professionals attempt to defend a
computer system from attack by applying continuous patches. The adversary then
quickly moves to exploit the latest discovered vulnerability. That is why many
computer security programs produce patches numerous times per day—even for home
computers.
Cyber-Vigilance and the Need for More Resources
High profile cases of cyber-attack are increasingly becoming the norm. The
US government had little difficulty finding evidence to assign blame (to China)
for the theft of personal information of more than 22 million government
employees from the computer systems of the Office of Personnel Management in
2015. Similarly, it did not take long for the United States to determine that
North Korea was responsible for the cyber-attack against Sony in 2015.
Cyber-attacks essentially give nations of all sizes, degrees of wealth, and
resources a seat at the table of the super powers, affording them a
disproportionate amount of clout. While China, the United States, and Russia
lead the world in cyber-attacks, virtually every government engages in such
attacks, and nearly every country has its share of computer hackers.
International treaties intended to address the problem have limited impact
because of the inability to hold signatories accountable and the difficulty
associated with accurately determining the identity of responsible actors.
Enhanced information sharing, combined with a mandate to swiftly and accurately
release information regarding attacks to impacted citizens, provide a sensible
foundation for designing a protocol to effectively address future attacks, yet
very few governments routinely engage in this practice.
Clearly, governments, businesses, and individuals must devote greater
resources to becoming more cyber-vigilant, which means they must devote more
resources toward anticipating and protecting against attacks. Governments and
businesses also need to engage in more public-private partnerships in order to
adequately address the issue. In February 2013, President Barack Obama issued
Executive Order 13636 ("Improving Critical Infrastructure
Cyber-Security"), which, among other things, called for the establishment
of a voluntary risk-based cyber-security framework between the private and
public sectors. This framework allows for all US government agencies,
regardless of their size or cyber-security capability, to apply the best
possible risk management practices in improving the security of critical
infrastructure. The primary importance of this framework is that it allows for
all those who voluntarily participate to adequately communicate and understand
the risks, which is vital to achieving a functioning national and international
cyber-security network.
The European Union will also finalize similar measures later this year as a
critical first step in defending against cyber-attack. This measure, the
"Network and Information Security Directive," forces member states to
adopt more rigid cyber-security standards and creates an avenue for the 28
member states—and the operators of essential services, such as energy,
transportation, and healthcare sectors—to communicate.4 Other nations are in the process of acting accordingly.
However, no nation allocates sufficient resources to adequately respond to the
increasing threat of a cyber-attack against critical infrastructure, nor does
any nation have a truly comprehensive plan to prevent or meaningfully react to
the outcome of such attacks.
Conclusion
In recent years, numerous forms of malware targeting SCADA systems have been
identified, including Stuxnet, Havex, and BlackEnergy3.5 What these three forms of malware have in common is their
ability to sneak through Industrial Control Systems undetected by exploiting
the weakest link in the cyber defense network (people), posing as a legitimate
email, or finding a back door in the SCADA system.6, 7 The power sector in particular
has already demonstrated itself to be particularly vulnerable and must dedicate
substantially more resources to closing back doors and training employees to
avoid clicking on malicious files.
At the beginning of 2016, the US Department of Homeland Security issued a
report downplaying future cyber-attacks against the US power grid, but,
demonstrating the urgency of the problem, by the beginning of April, it joined
forces with the FBI to commence a program warning utilities around the United
States of the dangers of future cyber-attacks. A US Senate Committee on
Homeland Security and Governmental Affairs hearing also recently discussed
cyber-security of the power sector and identified the most pressing concern as
the need to create post-attack plans to assist the affected populations.
Governments around the world have plans in place to deal with the consequences
of natural disasters, yet none have disaster relief plans for a downed power
grid. Clearly, this must change. Local and state governments must work together
with their national counterparts to produce and quickly implement plans to
address future attacks. They are coming.
*Daniel Wagner is CEO of Country Risk Solutions and co-author of the book
"Global Risk Agility and Decision Making"
(Macmillan, July 2016). Bailey Schweitzer, who assisted with this article, is a
research analyst with CRS.