While governments, businesses, and individuals are all being targeted on an exponential basis, infrastructure is becoming a target of choice among both individual and state-sponsored cyber-attackers, who recognize the value of disrupting security systems that were previously thought of as impenetrable. This has served to demonstrate just how vulnerable cities, states, and countries have become and the growing importance of achieving global risk agility in the face of such a threat.

From Russia with Love

In December 2015, a presumed Russian cyber-attacker successfully seized control of the Prykarpattyaoblenergo Control Center (PCC) in the Ivano-Frankivsk region of Western Ukraine, leaving 230,000 people without power for up to 6 hours. This marked the first time that a cyber-weapon was successfully used against a nation's power grid. The attackers were skilled strategists who carefully planned their assault over many months, first doing reconnaissance to study the networks and siphon operator credentials, then launching a synchronized assault in a well-choreographed dance. The control systems in Ukraine were surprisingly more secure than some in the United States, since they were well-segmented from the control center business networks with robust firewalls,¹ emphasizing just how vulnerable power systems are globally.

The PCC operated a common form of industrial control system known as a supervisory control and data acquisition (SCADA) system, which allows for remote controlling and monitoring of industrial processes—in this case, the distribution of electricity. The attackers overwrote firmware on critical devices at 16 substations, leaving them unresponsive to any remote commands from operators,² effectively leaving plant operators blind.

It now seems clear, given the degree of sophistication of the intrusion, that the attackers could have rendered the system permanently inoperable. The fact that they did not leads some in Ukraine to speculate that the attack was a message from Russia not to pursue pending power plant nationalization legislation, since some of those plants are owned by a powerful Russian oligarch with close ties to President Vladimir Putin.

Cats and Mice

The Ukraine example was hardly the first cyber-attack on a SCADA system. Perhaps the best known previous example occurred in 2003, though at the time, it was publicly attributed to a downed power line rather than a cyber-attack (the US government had decided that the "public" was not yet prepared to learn about such cyber-attacks). The Northeast (US) blackout that year caused 11 deaths and an estimated $6 billion in economic damages, having disrupted power over a wide area for at least 2 days. Never before (or since) had a "downed power line" apparently resulted in such a devastating impact. Subsequent to that attack, SCADA attacks occurred in the United Kingdom, Italy, and Malta, among others.³ According to the 2015 "Dell Security Annual Threat Report," cyber-attacks against SCADA systems doubled in 2014 to more than 160,000.

Cyber-attacks are difficult to prevent, given the relative ease with which hackers can find a single system vulnerability and the impossibility of plugging every conceivable security hole. Cyber-security professionals are, in essence, playing an endless game of cat and mouse, whereby a would-be attacker attempts to enter a system while security professionals attempt to defend a computer system from attack by applying continuous patches. The adversary then quickly moves to exploit the latest discovered vulnerability. That is why many computer security programs produce patches numerous times per day—even for home computers.

Cyber-Vigilance and the Need for More Resources

High profile cases of cyber-attack are increasingly becoming the norm. The US government had little difficulty finding evidence to assign blame (to China) for the theft of personal information of more than 22 million government employees from the computer systems of the Office of Personnel Management in 2015. Similarly, it did not take long for the United States to determine that North Korea was responsible for the cyber-attack against Sony in 2015. Cyber-attacks essentially give nations of all sizes, degrees of wealth, and resources a seat at the table of the super powers, affording them a disproportionate amount of clout. While China, the United States, and Russia lead the world in cyber-attacks, virtually every government engages in such attacks, and nearly every country has its share of computer hackers.

International treaties intended to address the problem have limited impact because of the inability to hold signatories accountable and the difficulty associated with accurately determining the identity of responsible actors. Enhanced information sharing, combined with a mandate to swiftly and accurately release information regarding attacks to impacted citizens, provide a sensible foundation for designing a protocol to effectively address future attacks, yet very few governments routinely engage in this practice.

Clearly, governments, businesses, and individuals must devote greater resources to becoming more cyber-vigilant, which means they must devote more resources toward anticipating and protecting against attacks. Governments and businesses also need to engage in more public-private partnerships in order to adequately address the issue. In February 2013, President Barack Obama issued Executive Order 13636 ("Improving Critical Infrastructure Cyber-Security"), which, among other things, called for the establishment of a voluntary risk-based cyber-security framework between the private and public sectors. This framework allows for all US government agencies, regardless of their size or cyber-security capability, to apply the best possible risk management practices in improving the security of critical infrastructure. The primary importance of this framework is that it allows for all those who voluntarily participate to adequately communicate and understand the risks, which is vital to achieving a functioning national and international cyber-security network.

The European Union will also finalize similar measures later this year as a critical first step in defending against cyber-attack. This measure, the "Network and Information Security Directive," forces member states to adopt more rigid cyber-security standards and creates an avenue for the 28 member states—and the operators of essential services, such as energy, transportation, and healthcare sectors—to communicate.⁴ Other nations are in the process of acting accordingly. However, no nation allocates sufficient resources to adequately respond to the increasing threat of a cyber-attack against critical infrastructure, nor does any nation have a truly comprehensive plan to prevent or meaningfully react to the outcome of such attacks.

Conclusion

In recent years, numerous forms of malware targeting SCADA systems have been identified, including Stuxnet, Havex, and BlackEnergy3.⁵ What these three forms of malware have in common is their ability to sneak through Industrial Control Systems undetected by exploiting the weakest link in the cyber defense network (people), posing as a legitimate email, or finding a back door in the SCADA system.^{6, 7} The power sector in particular has already demonstrated itself to be particularly vulnerable and must dedicate substantially more resources to closing back doors and training employees to avoid clicking on malicious files.

At the beginning of 2016, the US Department of Homeland Security issued a report downplaying future cyber-attacks against the US power grid, but, demonstrating the urgency of the problem, by the beginning of April, it joined forces with the FBI to commence a program warning utilities around the United States of the dangers of future cyber-attacks. A US Senate Committee on Homeland Security and Governmental Affairs hearing also recently discussed cyber-security of the power sector and identified the most pressing concern as the need to create post-attack plans to assist the affected populations. Governments around the world have plans in place to deal with the consequences of natural disasters, yet none have disaster relief plans for a downed power grid. Clearly, this must change. Local and state governments must work together with their national counterparts to produce and quickly implement plans to address future attacks. They are coming.

¹Kim Zetter, "Inside the Cunning, Unprecedented Hack of Ukraine's Power Grid," Wired, March 03, 2016, https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/.

²Ibid.

³The Akamai Blog; "2003 Blackout: And Early Lesson in Planetary Scale?," blog entry by Bill Brenner, August 14, 2013, https://blogs.akamai.com/2013/08/2003-blackout-an-early-lesson-in-planetary-scale.html.

⁴The European Commission website; Cybersecurity; https://ec.europa.eu/digital-single-market/en/cybersecurity.

⁵The Fortinet Blog; "(Known) SCADA Attacks Over The Years," blog post by Ruchna Nigam, February 12, 2015, https://blog.fortinet.com/post/known-scada-attacks-over-the-years.

⁶Ibid.

⁷McAfee® Foundstone® Professional Services and McAfee Labs, "Global Energy Cyberattacks: 'Night Dragon,'" February 10, 2011, http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf.

*Daniel Wagner is CEO of Country Risk Solutions and co-author of the book "Global Risk Agility and Decision Making" (Macmillan, July 2016). Bailey Schweitzer, who assisted with this article, is a research analyst with CRS.