The premise of a January 27, 2015, article by CNBC is that there is good evidence that a cyber attack against nearly any country’s critical infrastructure could be imminent. This kind of reporting has become so commonplace, but this doesn’t seem like just more FUD (fear, uncertainty, and doubt) journalism.
According to Eugene Kaspersky, CEO of global IT security firm Kaspersky Labs, the evidence supporting these claims is a dramatic uptick in targeted attacks against power grids, banks and transportation networks around the world. He told CNBC that “the worst terrorist attacks are not expected,” but he also points out that those targeting crucial infrastructure will inflict “very visible damage.”
Kaspersky recommends that every country audit their critical infrastructure in order of importance – with the most important and vulnerable being the power and energy sector. He also notes that governments need to appropriate the budget necessary to secure critical infrastructure over the next decade, inferring that this threat isn’t going to be effectively mitigated anytime soon.
There have been a number of recent public disclosures that highlight the ongoing dangers connected with very real cybersecurity threats against critical infrastructure:
Physical Damage from Cyber Attack in Germany
Just before the end of 2014, amid all the noise about the Sony breach, a quiet 2014 report by Germany’s Federal Office for Information Security was issued. One of the incidents described was a successful attack that infiltrated the industrial controls at an unnamed German steel mill. The attack caused ‘massive’ damage by making it impossible to shut down a blast furnace.
Wired magazine cited a translation of the report, saying it appeared that “the hackers obtained access via a spearphishing attack” before quickly moving across a “multitude” of sensitive corporate networks. Who the hackers were, how long they were in the system, whether they intended to destroy the furnace and what, if any, other equipment they accessed all remains unclear.
Cyber Attackers Caused Pipeline Explosion in Turkey
A Bloomberg News article on December 10, 2014, highlighted just how destructive digital attacks can be. A recently disclosed 2008 targeted attack on the majority BP-owned Baku-Tbilisi-Ceyhan pipeline in Turkey caused an explosion with flames as high as 150 feet. At the time, Baku-Tbilisi-Ceyhan was thought to be one of the most secure pipelines in the world. Still, attackers infiltrated the pipeline through a wireless network, tampered with the systems, and caused severe physical damage.
In the U.S., there are millions of miles of pipelines that distribute everything from oil, hazardous liquids, natural gas and chemicals. Many of them are approachable above ground, calling their physical security into question. These same pipelines are unquestionably vulnerable to cyberattacks that can inflict the same kind of serious physical damage as physical attacks.
National Security Agency Director Warns “This is not theoretical”
In a November 20, 2014, hearing for the House Intelligence Committee, NSA Director Admiral Michael Rogers said several foreign governments had already hacked into U.S. energy, water and fuel distribution systems, potentially damaging essential services, according to Bloomberg.
“This is not theoretical,” Rogers said. “This is something real that is impacting our nation and those of our allies and friends every day.”
DHS Warns U.S. Utility Was Hacked
In May 2014, the Department of Homeland Security and its Industrial Control Systems Cyber Emergency Response Team issued an ICS-CERT report warning of several known attacks against U.S. utilities in the first quarter of 2014. They cited details of one unnamed utility that had been breached and warned U.S. utilities to be on guard for intrusion activity. The complete article on this information is available here.
Cyber Threats Can Be Physical
Increasing cyber threat concerns are having an impact on critical infrastructure organizations because the physical implications have the potential to be catastrophic—cybersecurity rated as the fourth highest issue for energy executives in 2014, up from sixth place in 2013.
This shows dramatic progress; it was not even in the top ten concerns for utilities two years ago. According to the 2014 annual report from industry consultants Black & Veatch conducted in May of 2014:
“We are seeing an industry that is actively moving forward with the deployment of comprehensive asset protection plans following several high-profile cyber and physical threat events.”
48% of Electric Utilities Surveyed Need Cyber Threat Protection
Still – a survey of electric utility representatives showed that 48% of respondents indicated they did not have integrated security systems with the “proper segmentation, monitoring and redundancies” needed for cyber threat protection. Only 32% said they had these protections in place.
Stronger Cybersecurity Standards for Electric Utilities Coming in the U.S.
A new set of cybersecurity standards from U.S. federal regulators will impose expanded requirements on U.S, Canadian, and some Mexico utilities, with more assets “in scope” as well as new and stricter security regulations that will help mitigate some of these cybersecurity threats. These new regulations are due to go into effect in April of 2016 for High and Medium Critical Cyber Assets, and utilities need to begin preparing to meet these requirements now.
Every proactive step toward protecting critical infrastructure is a move in the right direction and there is no better time than now to begin.