We've deployed SCADA systems as a cost-benefit measure to relieve the amount of personnel hours involved in routine dial-watching and gauge-measuring activities of critical infrastructure. Has it gone too far?

With all the recent counter intelligence (CI) discussion in the Cybercrime Corner, it is easy to lose track of the other CI – critical infrastructure. This CI includes financial institutions, the electrical grid, our transportation system and more.

This CI is important because without it, we can't get our food from the fields to the table, our sick to the hospitals, and keep our homes and offices heated and cooled. And this CI has become more vulnerable over time rather than less vulnerable.

Critical infrastructure: The other CI

  1. What makes critical infrastructure so vulnerable is the interconnection through the internet which provides the single point of convergence between communication and commerce.
  2. The internet technology, which has been targeted by scripts written for profit (malware), has resulted in prolific cybercrime industries easily repurposed toward cyberwarfare or cyberterrorism.
  3. Repurposed internet technology attack tools are then able to be deployed on the very same network, the internet, in which SCADA systems are deployed. Instead of saving costs, we could now be providing the clear path toward total system collapse – power grid compromise.

Those who fail to learn from history are doomed to repeat it

The game-changing nature of malware and the kinetic world has become more than theoretical. Right now, internet-connected SCADA control systems are vulnerable and will continue to be so as long as they're connected. Unsurprisingly, this convergence has historical comparison:

"The barbarian hordes which destroyed the Roman Empire used the road system which framed it to find their (unwitting) way right to its very heart,” states Clive Alcock, a UK lawyer, writer and consultant on law enforcement / policing governance. “That convenient facility is what enabled them to destroy it, and likewise the Spanish Conquistadores to the Aztecs. The worldwide web is Western society's modern equivalent. The more we come to depend on its lines of communication for running infrastructure, the more it will become the overriding weakness of our civilisation."

Clive Alcock detailed an empire whose transportation and communication network of roads conveyed invaders quickly through previously impassable regions. His direct comparison may ring more true for a cyberwarfare analogy.

Current cybercrime through malware, however, is not unlike the scourges of disease which could be conveyed over historic Roman or Mayan roads by commerce during peacetime. In fact, the anti-virus industry uses similar terms, such as ‘quarantine,' ‘virus' and ‘outbreak.'

Additional historic comparison would examine the empires of Carthage, Rome and Greece whose regimes fatally refused to acknowledge their era's game-changing threats and adapt accordingly. Whether through negligence or through denial, as demonstrated through the past 2,500 years of human history, it seems to be human nature to fail to recognize a threat.

Even if the threat had been recognized, simply tearing up the empire's roads was not a possibility to consider, just like completely disconnecting the internet is not possible to consider. What must be considered are individual solutions to high impact, low frequency (HILF) threats, along with the ever-present advanced persistent threats (APTs). The Stuxnet attack seems to cover both types of cyber threats, making it a strong contemporary topic of discussion.

Has STUXNET changed global HILF/APT policies?

Stuxnet has radically changed global perception of cyberwarfare. Part of Stuxnet's attack leveraged internet-connected SCADA vulnerabilities of critical infrastructure, as well as the internet itself as a transmission medium. Urban Schrott, IT security & cybercrime analyst at ESET Ireland, stated recently

...In fact, it's by no means unlikely that [Stuxnet] was put together by a team with a range of skills and backgrounds, not unlike the sort of multidisciplinary tiger team that is often put together to counter attacks."

SC Magazine's Editor-in-Chief Illena Armstrong recently commented on the impact of malware, like Stuxnet, in changing the current dynamic of cyberwarfare philosophy:

The fact is, when talk of cyberwar started a few years back, most cybersecurity pros gave it short shrift.

Really, the only thing we can conclude is that we've now entered a new phase in the information security industry, one where malware is “a weapon,” as one expert told SCMagazineUS.com recently, to be used not for financial gain but for war.

Bit9 CTO Harry Sverdlove concurs:

Advanced threats like Stuxnet are the new weapons of mass destruction. The enemy is organized and well trained. The attacks are better planned and more sophisticated. The targets and potential damage are quite frankly, just frightening.

We're not talking about receiving annoying pop-up messages or having your Facebook password stolen — we're talking about losing control of a nuclear power facility or an entire power grid.

There have been some sources who have posited that enough change in the game will require increased government participation in a previously civilian affair.

2011 – 2013: Increased federal/military involvement in critical infrastructure?

As the internet has sped up deployment of SCADA software – replacing on-station systems engineers – the internet itself has become more of a critical infrastructure – an element like oxygen and water, which is necessary to sustain life itself, not just sustain commerce.

Many sources have concluded that the next 12 months to three years could showcase an epoch-changing event. These sources, as Ms. Armstrong previously pointed out, have become increasingly more public and increasingly more high level. It's one thing when Richard Clarke [former counter-terrorism czar in the Clinton and Bush Administrations] says something. It may be another entirely when former CIA directors back him up.

From Aviation Week:

Former CIA director, James Woolsey, Jr., predicts the U.S. military cyberforces will be pulled into managing cyber-attack-triggered catastrophes just as they support large-scale natural disasters.

“It is not a Defense Department obligation to protect the national power grid,” Woolsey says.

“The problem is that nobody is responsible, at least nobody that is doing anything effective. We have an infrastructure that is privately owned and resists government regulation even on matters of security and safety.”

“I wager as the vulnerabilities of the grid [to cyberattack] become more apparent . . . there will be pressure in one way or another for the military to protect the power grid.”

Analysis: The perfect storm

Timing is everything. The science and psychology of warfare is built on creating or recognizing opportunities and then exploiting them. Stuxnet demonstrated the convergence between cybercrime and cyberwarfare:

The advanced persistent threat [APT]...is really no different than prolific crimeware that organizations have been facing for years.

This is the opinion of Jerry Dixon, director of analysis at Team Cymru, a nonprofit internet security research firm. Dixon spoke in a session Wednesday morning at SC World Congress in New York.

CIA Director Woolsey's forecast and other developments this year lead me to believe that between 2011 to 2013 conditions are perfect for a HILF event which could take out the foundation of all critical infrastructure: the power grid. This could take the place of a combined attack, such as a coordinated cyber and kinetic / electromagnetic (EMP) attacks, or in the form of a naturally occurring disaster, such as a massive solar flare combined with a more regional cyberattack.

While businesses need to prepare and drill for these scenarios, any large-scale event will also have several long- term results worth strategic consideration:

  1. When bad things happen to infrastructure, the military gets called in. One relevant historical reference for critical infrastructure is the Air Traffic Controller Strike of 1981, as well as the Coal Strike of 1902 in which then-President T. Roosevelt stated “National government represents . . . the interests of the public as a whole."
  2. With the current surge in military personnel consisting of enlisted cybersecurity professionals, any specific critical infrastructure sector impacted by a HILF should expect federalization faster than you could say FEMA.
  3. On a cost level, the wages for enlisted military specialists are vastly less costly than IT specialists, meaning that if they did federalize the security for critical infrastructure, it may stay that way for a long time.

I'm ambivalent about military control over any civilian assets and would love your opinion. What's the down side to having Cyber Command in charge of the NERC utility interconnected power grid when the risk could be total blackout with associated panic? Comments will be answered!

Related Articles:

  1. Keeping HILFs from crashing your party – SC Magazine
  2. October 2010: News from the Cyber Front - ESET
  3. I-95 Cybersecurity corridor expected to blossom‎ – Federal News
  4. US airforce shifts 30000 troops to ‘cyberwar front lines'‎ – The Register
  5. Army To Establish Cyber Command HQ‎ – The New New Internet
  6. DoD Cyber Command is officially online – Navy Times
  7. From Megatons to Megapings: Cyberwarfare – ESET ThreatBlog
  8. Cyberwarfare and Music: It's All Tempo – ESET ThreatBlog
  9. Cybercrime and Cyberwarfare: Warnings Unheeded? – ESET ThreatBlog
  10. Kinetic Warfare vs. Cyberwarfare – ESET ThreatBlog Feature
  11. What you can learn from Stuxnet - Cybercrime Corner