The Growing Cybersecurity Threat to Critical Infrastructure

The Growing Cybersecurity Threat to Critical Infrastructure

April 4, 2016

|

Secure Halo

Critical Infrastructure imageThe United States Justice Department charged seven hackers tied to the Iranian government over their alleged involvement in a series of cyberattacks on banks as well as a 2013 cyber attack directed against the Bowman Avenue Dam, located 30 miles north of New York City near the town of Rye, NY.  After gaining access to the dam’s control system, the hacker was able to acquire operational information, such as water level, temperature and status of the sluice gates, which control water levels and flow rates.

The attacker would have been able to control the dam’s gates had they not been disconnected from the facility’s computer network for maintenance at the time of the intrusion.  As a result, the hacker’s ability to sabotage or cause widespread disruption through the remote alteration of equipment settings or sluice gates was eliminated.  The hackers were unable to compromise any of the dam’s operational technology.

But how close of a call was this?  Is this a sign of things to come, or is it, as U.S. Senator Chuck Schumer (D-NY) described, “a shot across the bow,” signaling perhaps a harbinger of future cyber sabotage that could cause death or even cascading failure of the power grid?  In January, the U.S. DHS Industrial Control Systems Cyber Emergency Response Team warned that bad actors are “gaining more and more access to [these target’s] control system layer.”

Why Critical Infrastructure is a Target

Through Executive Order 13636, President Obama defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

There are 16 critical infrastructure sectors, which among others, include transportation systems, power generation, telecommunications, water supply, financial services, government and public safety, and food production and distribution.  It’s clear why targeting these sectors would be appealing to hackers with bad intentions.

Industrial control systems, just like traditional IT environments, are equally targeted by nation-states, hackers, and deliberate insider threat.  Nefarious actors understand that the health and prosperity of any country rests on functioning infrastructure. As a consequence, their ability to disrupt or damage these essential backbones can allow their acts of sabotage to have maximum impact.

Vulnerabilities of Industrial Controls

Additionally, these actors likely understand the inherent vulnerabilities within these environments.  They realize that security problems with control systems are exacerbated by asset owners’ desire to keep their systems running at all costs.  Why?  To take a very simple example of an electric utility, any activity that has the potential to inadvertently cause a failure of systems for any amount of time (which in this case, would be the inability of a utility to transmit and distribute power) is simply anathema.

Not only would such a disruption mean loss of revenue for the electricity provider, but also reputation damage and perhaps even penalties as well.  Such a reality may explain the historical resistance by these operators to practice basic cybersecurity like patching, for instance, which can be notorious for causing performance glitches and stubborn bugs.

Nefarious actors also understand one other reality commonly associated with industrial control system environments: they do not get replaced for years.  In fact, some reports have suggested that the lifespan of an average control system is two decades.  Now compare that to a standard PC desktop or laptop we all use, which most of us tend to upgrade every 3-5 years.  With legacy systems that are decades old and that use insecure protocols and architecture, it is therefore easy to see why control systems are so attractive to to attackers and why the cyber security of these industrial environments are finally getting the attention they deserve.

Victimized Entities to Date

But besides the Bowman Avenue Dam and the widely publicized Stuxnet rootkit in 2010 that resulted in the physical destruction of 2,000 Iranian centrifuges, are there any more examples of targeted attacks against control system environments?  Sadly, the answer is yes.

They are:

Ukraine Power Grid Attack: In December 2015, it was reported that as  many as 225,000 residents in western Ukraine lost power for six hours after Russian hacking group Sandworm and its malware Black Energy 3 targeted the Prikarpattiaoblenergo electric company and the electric grid it operated.

German Steel Mill Attack:  In December 2014, an annual report by the German Federal Office for Information Security discussed a cyber attack of an unnamed steel mill in Germany that was alleged to have utilized both social engineering and spear-phishing in order to gain access to the mill’s information technology environment and later its operational technology environment.  Based on reporting, this targeted attack resulted in the compromise of individual industrial control components and the inability of workers to shut down a blast furnace, thus causing physical damage.

Metcalf Sniper Attack:  In April 2013, it was widely reported that a coordinated and sophisticated sniper attack against 17 transformers at a PG&E Corporation substation near San Jose, California resulted in approximately $15 million worth of damage.  Although originally believed to have been an act of terrorism due to its timing with the Boston Marathon attack across the country, the FBI later ruled that out.  Because of this incident, the importance of physical security at critical sites was elevated and resulted in the subsequent publication of security standards for all U.S. substations by the Federal Energy Regulatory Commission.

U.S. Railway Company Hack:  In December 2011, the U.S. Transportation Security Agency reported that “hackers, possibly from abroad, executed an attack on a Northwest rail company’s computers that disrupted railway signals for two days.”  According to news reports, the investigation revealed malicious actors had penetrated the system from three IP addresses but did not contain the countries where the attacks may have originated.

Turkish Oil Pipeline:  In 2008, western intelligence agencies concluded that a portion of the Baku-Tbilisi- Ceyhan oil pipeline near the city of Erzincan exploded and was attributable to hackers and not the result of a technical malfunction or Kurdish separatists, as originally reported.  According to reporting, hackers were able to shut down and dismantle alarms, cut off communications, as well as pressurize the crude oil in the line to such an extent as to deliberately trigger a blast.

Australian Water and Sewage System Attack:  In late October 2001, an Australian man was sentenced to a two year prison term for his involvement in a cyber attack against a sewage plant in Queensland, Australia that resulted in the unauthorized release of millions of liters of waste water and sewage into local parks, tributaries, and the grounds of a local hotel.

Important Steps to Confront Threats to Critical Infrastructure

What can critical infrastructure businesses do to address the risk of cyber attacks?  There are three first steps to take:

  1. Like with traditional cybersecurity vulnerability impacting IT environments, the first step is to identify every and all risks through a holistic cyber assessment.
  2. Once risks are identified, manage risk through the development of a strong cyber security culture that establishes cybersecurity goals, adopts best practices, as well as implements (and enforces) policies and procedures covering all aspects of enterprise risk management.
  3. Consider risk transfer through insurance options which can assist with any financial consequences of an attack.

While federal authorities continue to pursue identified attackers, critical infrastructure businesses can proactively find and fix vulnerabilities, and mitigate risk.

For more information on cyber insurance and to learn more about Secure Halo’s cyber assessment support to U.S. critical infrastructure, please contact Secure Halo or our partners at McGriff, Seibels & Williams, Inc.

You May Also Like…

Top 5 Cyber Threats to Business

Top 5 Cyber Threats to Business

Top 5 Cyber Threats to Business With the ever-growing digital age, cyber crime is on a constant rise, and no one seems...

Cyber’s Gender Gap

Cyber’s Gender Gap

Cyber's Gender Gap Cybersecurity and Information Technology holds a reputation for being a field of study continuously...