Co-authored by Bailey Schweitzer
Despite the fact that cyber-attacks occur with greater frequency and intensity around the world, many either go unreported or are under-reported, leaving the public with a false sense of security about the threat they pose and the lives and property they impact. While governments, businesses and individuals are all being targeted on an exponential basis, infrastructure is becoming a target of choice among both individual and state-sponsored cyber-attackers, who recognize the value of disrupting what were previously thought of as impenetrable security systems. This has served to demonstrate just how vulnerable cities, states and countries have become, and the growing importance of achieving global risk agility in the face of such a threat.
From Russia with Love
In December 2015 a presumed Russian cyber-attacker successfully seized control of the Prykarpattyaoblenergo Control Center (PCC) in the Ivano-Frankivsk region of Western Ukraine, leaving 230,000 without power for up to 6 hours. This marked the first time that a cyber weapon was successfully used against a nation's power grid. The attackers were skilled strategists who carefully planned their assault over many months, first doing reconnaissance to study the networks and siphon operator credentials, then launching a synchronized assault in a well-choreographed dance. The control systems in Ukraine were surprisingly more secure than some in the U.S., since they were well-segmented from the control center business networks with robust firewalls, emphasizing just how vulnerable power systems are globally.
The PCC operated a common form of industrial control system known as a supervisory control and data acquisition (SCADA) system, which allows for remote controlling and monitoring of industrial processes -- in this case the distribution of electricity. The attackers overwrote firmware on critical devices at 16 substations, leaving them unresponsive to any remote commands from operators , effectively leaving plant operators blind. It now seems clear, given the degree of sophistication of the intrusion, that the attackers could have rendered the system permanently inoperable. The fact that they did not leads some in Ukraine to speculate that the attack was a message from Russia not to pursue pending power plant nationalization legislation, since some of those plants are owned by a powerful Russian oligarch with close ties to Mr. Putin.
Cats and Mice
The Ukraine example was hardly the first cyber-attack on a SCADA system. Perhaps the best known previous example occurred in 2003, though at the time it was publicly attributed to a downed power line, rather than a cyber-attack (the U.S. government had decided that the 'public' was not yet prepared to learn about such cyber-attacks). The Northeast (U.S.) blackout that year caused 11 deaths and an estimated $6 billion in economic damages, having disrupted power over a wide area for at least two days. Never before (or since) had a 'downed power line' apparently resulted in such a devastating impact. Subsequent to that attack, SCADA attacks occurred in the UK, Italy and Malta, among others. According to Dell's 2015 Annual Security Report, cyber-attacks against SCADA systems doubled in 2014, to more than 160,000.
Cyber-attacks are difficult to prevent, given the relative ease with which hackers can find a single system vulnerability, and the impossibility of plugging every conceivable security hole. Cyber-security professionals are in essence playing an endless game of cat and mouse, whereby a would-be attacker attempts to enter a system while security professionals attempts to defend a computer system from attack by applying continuous patches. The adversary then quickly moves to exploit the latest discovered vulnerability. That is why many computer security programs produce patches numerous times per day - even for home computers.
Cyber-Vigilance and the Need for More Resources
High profile cases of cyber-attack are increasingly becoming the norm. The U.S. government had little difficulty finding evidence to assign blame (to China) for the theft of personal information of more than 22 million government employees from the computer systems of the Office of Personnel Management in 2015. Similarly, it did not take long for the U.S. to determine that North Korea was responsible for the cyber-attack against Sony in 2015. Cyber-attacks essentially give nations of all sizes, degrees of wealth and resources a seat at the table of the super powers, affording them a disproportionate amount of clout. While China, the U.S. and Russia lead the world in cyber-attacks, virtually every government engages in such attacks, and nearly every country has it share of computer hackers.
International treaties intended to address the problem have limited impact because of the inability to hold signatories accountable and the difficulty associated with accurately determining the identity of responsible actors. Enhanced information sharing, combined with a mandate to swiftly and accurately release information regarding attacks to impacted citizens, provide a sensible foundation for designing a protocol to effectively address future attacks, yet very few governments routinely engage in this practice.
Clearly, governments, businesses and individuals must devote greater resources to becoming more cyber-vigilant, which means they must devote more resources toward anticipating and protecting against attacks. Governments and businesses need to also engage in more public-private partnerships in order to adequately address the issue. In 2013, President Obama issued Executive Order 13636 ("Improving Critical Infrastructure Cyber-security") which, among other things, called for the establishment of a voluntary risk-based cyber-security framework between the private and public sectors. This framework allows for all U.S. government agencies, regardless of their size or cyber-security capability, to apply the best possible risk management practices in improving the security of critical infrastructure. The primary importance of this framework is that it allows for all those who voluntarily participate to adequately communicate and understand the risks, which is vital to achieving a functioning national and international cyber-security network.
The European Union will also finalize similar measures later this year as a critical first step in defending against cyber-attack. This measure, the "Network and Information Security Directive", forces member states to adopt more rigid cyber-security standards, and creates an avenue for the 28 member states -- and the operators of essential services such as energy, transportation, and healthcare sectors -- to communicate . Other nations are in the process of acting accordingly. However, no nation allocates sufficient resources to adequately respond to the increasing threat of a cyber-attack against critical infrastructure, nor does any nation have a truly comprehensive plan to prevent or meaningfully react to the outcome of such attacks.
In recent years numerous forms of malware targeting SCADA systems have been identified, including Stuxnet, Havex, and BlackEnergy3 . What these three forms of malware have in common is their ability to sneak through Industrial Control Systems undetected, by exploiting the weakest link in the cyber defense network (people), by posing as a legitimate email, or by finding a back door in the SCADA system . The power sector, in particular, has already demonstrated itself to be particularly vulnerable, and must dedicate substantially more resources to closing back doors and training employees to avoid clicking on malicious files.
At the beginning of 2016, the U.S. Department of Homeland Security issued a report downplaying future cyber-attacks against the U.S. power grid, but, demonstrating the urgency of the problem, by the beginning of April, it joined forces with the FBI to commence a program warning utilities around the U.S. of the dangers of future cyber-attacks. A U.S. Senate Committee on Homeland Security and Governmental Affairs hearing also recently discussed cyber-security of the power sector and identified the most pressing concern as the need to create post-attack plans to assist the affected populations. Governments around the world have plans in place to deal with the consequences of natural disasters, yet none have disaster relief plans for a downed power grid. Clearly, this must change. Local and state governments must work together with their national counterparts to produce and quickly implement plans to address future attacks. They are coming.
*Daniel Wagner is CEO of Country Risk Solutions and co-author of the book "Global Risk Agility and Decision Making". Bailey Schweitzer is a research analyst with CRS.