On the evening of December 23 last year, an electricity blackout left half of all homes in the Ivano-Frankivsk region of Ukraine without power. According to reports, 103 cities were completely blacked out and another 187 were plunged into partial darkness. Notable not only for its size, the incident was important as it was the first recorded blackout in history to be triggered by a cyber attack.
As the emphasis among the hacking community shifts onto physical infrastructure, attacks like the one in Ukraine are especially significant – not just for those living in the immediate vicinity, but for society at large. “It’s a milestone because we’ve definitely seen targeted destructive events against energy before – oil firms, for instance – but never the event which causes the blackout,” said John Hultquist, Head of iSIGHT’s Cyber Espionage Intelligence Practice, in an interview with Ars Technica. “It’s the major scenario we’ve all been concerned about for so long.”
Most worrying of all is that the situation has confirmed many people’s fears about critical infrastructure and its susceptibility to cyber attacks. The case in point is proof enough that the threat from cyber attacks does not exist in some far-off future, but here and now. For companies, the fear is that in an already fragile environment, cyber attacks could disrupt business as usual just as easily as, for example, climate change or geopolitical instability. Effectively, what we’re seeing here are security issues that stretch far beyond the realm of finance or privacy, and threaten to disrupt everyday processes, both on a national and international front.
Emerging technologies have revolutionised critical infrastructure, yet they have also introduced the potential for critical vulnerabilities. Matt Devost, Co-Founder and CEO of cyber risk management company FusionX, told World Finance that these technologies are being developed and deployed without a thought for security being included in the design process. For example, the attack surface has increased significantly with the universal adoption of SCADA and ICS systems.
The threat from cyber attacks does not exist in some far-off future, but here and now
“There is no doubt that this hyperconnectivity is a powerful development tool and opportunity for growth for governments, business and individuals alike – a tool that must remain open and accessible despite the inherent risks,” said Adam Blackwell, Secretary for Multidimensional Security for the Organisation of American States, in a recent report. “The challenge lies in our ability to balance and manage these risks for the foreseeable future.”
Defined by the Department of Homeland Security as any one of 16 industries “whose assets, systems and networks, whether physical or virtual, are considered so vital… that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety”, any threat to critical infrastructure is a threat to the population at large.
A growing threat
Fortunately or unfortunately, developments in the modern world are such that critical infrastructure is becoming increasingly connected, and it’s not inconceivable to suggest that a well-orchestrated cyber attack could cripple essential public services. “This perfect storm of current and emerging technology coupled with a wider array of sophisticated attackers has put critical infrastructure at significant risk, and deliberate and thoughtful cyber risk management approaches are needed to shore up our defences and ensure attacks are quickly detected and mitigated”, said Devost.
While this wave of hyper-connectivity has benefitted host communities, it has given rise to new vulnerabilities, and ones that require a new type of defence – that is, if the economy hopes to escape unscathed. According to a recent McAfee report: “In an ever-more networked world, the cyber vulnerabilities of critical infrastructure pose challenges to governments and owners and operators in every sector and across the globe.”
Oil and gas pipelines, water distribution networks and electric power grids are all essential services that today rely on the internet as much as any manual system. And though the advantages number in the many, so do the challenges.
As Tripwire noted recently, 48 percent of US utility providers said they were in need of additional cyber protection, whereas 20.1 percent said they just “didn’t know” – something that is, in itself, cause for concern. These responses align with research to show that the prevalence and sophistication of these attacks is on the up, and as the warnings get all the more severe, organisations are beginning to put in place technologies and procedures to limit the damage.
Improving systems accordingly
Doubters need only look to December 2014, when the German Government released evidence to suggest that hackers had infiltrated the industrial controls of a steel mill, to see that cyber attacks can inflict massive damage on critical infrastructure. Another report, published by ESG, shows that, of a sample of critical infrastructure organisations, 68 percent claimed they had been subject to one or more cyber security incidents over the last two years. On top of that, 36 percent said that the incidents had disrupted critical processes, and 36 percent again claimed they had disrupted critical business applications.
Estimated value of the cyber security market
Amount spent by the US on cyber security in the last decade
The cyber insurance market has grown this much since 2013
Source: Forbes, 2015
“Typically the biggest challenge to deterring cyber security threats is getting the business to engage the problem from a business and risk management perspective,” said Devost. “To be effective, security efforts need to be closely tied to business objectives and supported at all tiers of the business, from governance to operations.” A recent study by Accenture and the Ponemon Institute, The cyber security leap – from laggard to leader, found that 63 percent of companies that improved their cyber security effectiveness significantly over 24 months aligned their security objectives with business objectives, whereas only 40 percent of those that saw no improvement did so.
“Forward-looking companies also see that traditional endpoint security and perimeter security measures are not enough, and are moving towards proactive risk and intelligence driven approaches to security management, analytics-driven event detection, and machine speed orchestration of response,” Devost added. And although discussions on the topic often point to cyber security as a consideration for the future, there are countless studies to show that it is a hot issue at the moment. For example, National Security Agency (NSA) Director, Navy Admiral Michael Rogers, told the House Permanent Select Committee on Intelligence in November 2014 that foreign governments had already infiltrated energy, water and fuel distribution systems. “This is not theoretical”, he said. “This is something real that is impacting our nation and those of our allies and friends every day.”
The situation is made all the more problematic by the systems themselves. Many of these processes were installed years – if not decades – ago, without a thought for connectivity. This means technological innovations are often patched into existing systems, and the result is a hotchpotch system that is, by design, vulnerable to attack.
Industrial control systems
The systems that allow businesses to collect and control data on a colossal scale are the same systems that allow hackers to access, exploit and ultimately disrupt essential services. While the opinion holds that the best way of combatting these threats is to focus on IT, there is still a human element to these issues that no amount of technology can account for.
Technical training, as much as improved technology, is critically important in boosting cyber security measures and in warding off ever-evolving threats to critical infrastructure. However, there is a serious shortage of professionals who understand both the digital security landscape and the way in which these threats manifest themselves in critical infrastructure. Furthermore, the issue with improved technology as a security measure is that it can be static in a way that hackers are not. Qualified experts can respond to threats as they emerge, which again highlights the importance of people over systems.
“There is certainly a talent gap that exists within the field of cyber security,” according to Devost, “and that chasm is even wider for professionals that can work within the specialised control system space. The dynamic nature of the security environment also means that organisations are not going to ‘solve’ the problem on their own and will utilise trusted partners to identify and adopt best practices, and to efficiently support security functions and operations as needed.”
Should businesses – and perhaps more pertinently, governments – take seriously the cyber threat facing critical infrastructure, it’s fair to say that investment in security solutions and personnel will increase in the coming months and years. Failing that, critical infrastructure could come under siege, and with little in the way of answers, defensively speaking.
It’s time to end the talk of hackers as if they were a distant threat, and concede that cyber security issues number among the biggest threats facing critical infrastructure today. Cyber terrorism is still seen as the stuff of science fiction, and it’s about time to acknowledge that the risks are both immediate and real.