What keeps Michael Chertoff up at night?
The former Secretary of the U.S. Department of Homeland Security (DHS) from 2005 through 2009 recently told a Wall Street Journal cybersecurity conference audience, “A significant, destructive attack against critical infrastructure. That would probably be an act of war.”
European Union member states agree, recently drafting a diplomatic document that states serious cyber attacks by foreign nations could be construed as an act of war.
As malicious cyberattacks up the ante in wreaking havoc, natural targets will hit modern life’s necessities (e.g., energy, health, financial, transportation, food supply, water, military, communications, etc.).
A 2013 executive order from President Obama defined “critical infrastructure” as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. (See sidebar for 16 critical infrastructure sectors.)
Former TV news anchor Ted Koppel in November 2015 published a book, Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath, predicting an imminent assault. Like clockwork, less than a month later Russia purportedly knocked out 30 Ukranian power grid substations, leaving residents without power for up to six hours. The attack gave concrete evidence that critical infrastructure can and will be targeted strategically.
In March 2016, John Carlin, then assistant general in the national security division of the U.S. Justice Department, announced charges against seven Iranians from the Islamic Revolutionary Guards Corps for conducting over 150 days coordinated DDoS attacks dating back to December 2011 against 25 U.S. financial-sector targets, including the New York Stock Exchange, as well as AT&T in August 2012.
Lloyd’s of London last year estimated with risk-modeling firm Cyence that a major global cyber attack could trigger $53 billion in financial losses. Last May’s WannaCry ransomware attack caused losses of $8 billion.
Whereas ransomware, phishing or DDoS schemes – often working in tandem as a perfect storm – in recent years appeared to be the handiwork of criminal elements focused on financial gain, “threat actors [now] seem more motivated by a desire to create disruptive effects,” notes Chris Duvall, director of The Chertoff Group (TCG), headed by the aforementioned former DHS chief, adding that “nuke-ware” attacks appear to be the work of nation-states.
Consider the cyberattack on the City of Atlanta. A ransomware attack bearing the markings of SamSam was responsible for outages in Atlanta’s computer systems in late March.
The city issued a statement confirming that computers were “experiencing outages on various internal and customer facing applications, including some applications that customers use to pay bills or access court-related information.”
While the city’s transit system, MARTA, has had some issues, according to an 11Alive News report, the area’s busy Hartsfield-Jackson Atlanta International Airport, had not been hit nor had the 911 and dispatch systems.
“MARTA is currently experiencing a technical outage impacting MARTA Bid, Breeze Card, Reduced Fare and the MARTA On-the-Go sites,” MARTA tweeted at the time.
The motive remained unclear but the ransom demand seemed low – “$6,800 per unit, or $51,000 to unlock the entire system,” according to the 11Alive News report – so financial gain might not have been the impetus.
Government and private sector cooperation in sharing threat information is heightened since “industry owns most critical information assets,” notes Al Johnson, TCG senior analyst.
Improved communication between the public and private sectors is “better than where it was but nowhere near where it needs to be given what the threats are,” according to Carlin, now a Washington, DC-based partner with the law firm Morrison & Foerster, chairing its global risk and crisis management practice.
The government’s collection and classification of threat information makes it very difficult to share, he adds.
The New York Power Authority (NYPA), the nation’s largest state-owned utility network, “monitors all threats foreign and domestic with the help of the industry and our state and federal partners,” Kenneth Carnes, chief information security officer of NYPA, which oversees 16 power plants covering more than 1,400 circuit miles of transmission lines. “NYPA faces daily risk from attackers and those that would like to cause impact to our way of life,” Carnes says.
An Oct. 2017 report from the U.S. Computer Emergency Readiness Team (US-CERT), states: “Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks. Historically, cyber threat actors have targeted the energy sector with various results, ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict.”
The US-CERT report followed another a few months earlier from the DHS and the Federal Bureau of Investigation that hackers since May had penetrated nuclear power stations and other energy facilities.
A year ago, NYPA launched its monitoring Integrated Smart Operations Center (iSOC) “to catalyze intelligence, threats and digital information order to reduce risk or impact to our operations.”
U.S.-based utilities must comply with Critical Infrastructure Protection (CIP) requirements from standards issued by North American Reliability Corporation, notes Carnes.
“These standards adopt a risk-based approach that begins with an inventory of critical assets and cyber systems,” he explains, “and attaches a comprehensive set of protective measures encompassing security management controls, personnel and training, electronic security perimeters, physical security for cyber systems including incident reporting, response planning, and recovery.”
Critical infrastructure entities, especially power plants, oil and gas refineries, telecommunications, transportation, and water and waste control facilities, often utilize a software application program called SCADA (supervisory control and data acquisition) for process control and the remote gathering of real-time data in multiple locations order to control equipment and conditions.
“SCADA systems are the key for critical infrastructure,” notes Carlin. He notes, however, “Critical infrastructure was not really designed to be connected to the Internet.”
The same Iranian attackers charged in March 2016 by the DOJ for the financial-sector DDoS attacks also hacked into the Bowman Avenue Dam in Rye, NY, he says. At the time of the Bowman attack the dam, which was designed for flood control, was down for physical maintenance. “Our cybersecurity defense shouldn’t be that the dam isn’t working,” Carlin says.
(It apparently goes both ways. Iran’s nuclear capability was reportedly slowed down as the result of the U.S. and Israel in 2010 sending “Stuxnet” malware to the country’s military and civilian infrastructure, widely regarded as the first nation-state attack on infrastructure with the aim of causing real-world damage.)
David Venable, vice president of cybersecurity at Dallas-based security firm Masergy Communications and a former National Security Agency intelligence collector, is aware of a U.S. dam that could have been raised or lowered via the Internet without even using credentials.
When law enforcement informed the facility, Venable says “their reaction was ‘Why would anyone want to do that?’” He adds cybersecurity education has improved some, and Industrial Control System (ICS) technology is available for critical infrastructure facilities to detect what a normal environment is supposed to look like vs. an abnormal one.
“The likelihood of these kinds of attacks occurring is small,” comments McAfee chief scientist Raj Samani. “You count them on one hand, if not two. For me it’s about tempering the fear, recognizing the vulnerabilities, and putting those control points in place in the event these systems are targeted.”
The challenge is bridging critical infrastructure’s the IT (information technology) and OT (operations technology) environments, which have traditionally been isolated from each other. “Securing the OT environment is very different from securing the IT environment,” notes Samani, citing full connectivity between the two environments in required for so-called “digital oil fields” with energy obviously being a target. A physical plant manager who understands IT is rare, points out Samani.
“There are fundamental differences how we do things,” he notes, adding that
halting production at a car plant for a security software update is foreign to a non-IT environment. “You’re going to literally shut down the factory,” Samani says. “The likelihood to find a maintenance window is limited. The second you shut down the production, the company stops making money.”
Manufacturers that work with automation vendors, advises Samani, should test whether a patch being applied doesn’t impact its software. “That’s a different type of scenario that you would face in an IT environment, where putting in for an emergency update is fairly straight-forward,” he adds, noting financial, legal and healthcare entities are used to abiding by confidentiality and integrity regulations, unlike perhaps the manufacturing sector.
“Fundamentally, if you’re in a critical infrastructure environment you need to make sure the systems are available 24/7,” Samani says.
Critical infrastructure machinery becomes even more vulnerable, notes Carlin, as a result of Internet of Things (IoT) extending the surface area for potential attacks.
He cites the coordinated October 2016 DDoS attacks, which brought down more than a dozen prominent websites, including Twitter, Spotify, Netflix, Airbnb and Amazon, as an example of security weaknesses easily exploited with Mirai IoT botnet ransomware.
Devices infected included digital cameras, routers, DVRs, printers, residential gateways and baby monitors. Venable notes that Dyn attack “effectively brought the Internet down for a large number of people, and if you turn that towards critical infrastructure that could do a lot of damage.”
Terrorists can also exploit IoT weaknesses, points out Carlin, citing the July 2016 truck attack in Nice, France by an ISIS sympathizer who killed 86 people and 458 others. The attorney asks rhetorically, “What would happen if they turned a whole series of trucks at once into weapons?” Furthermore, self-driving vehicles need to be secure, he adds.
Meanwhile, Germany’s Federal Network Agency last year found that the “My Friend Cayla” Internet-connected, talking doll could be used for illegal espionage.
“I would argue there’s a misguided saying that code doesn’t explode, especially within the international relations community in regard to cyberattacks causing impact to infrastructure,” sums up Venable.