The Threat of Virtual Terrorism Against Infrastructure is Growing
Part of what makes infrastructure generally vulnerable to cyber terrorism is the fact that so much of it is dependent upon software and so many of its systems are interconnected. Much of the world’s critical infrastructure utilizes supervisory control and data acquisition (SCADA) systems, which automatically monitor and adjust switching, manufacturing, and other process control activities based on digitized feedback data gathered by sensors. These tend to be specialized, older computer systems that control physical pieces of equipment that do everything from route trains along their tracks to distribute power throughout a country. SCADA systems have increasingly become connected to the Internet but were not designed with cybersecurity in mind.
Cyber terrorists could do tremendous damage if they wanted to, ranging from taking control of water treatment facilities to shutting down power generation plants to causing havoc with air traffic control systems―and all of these systems are extremely vulnerable to attack. The US energy grid connects more than 5,800 power plants with more than 450,000 miles of transmission lines—the ultimate soft target. Yet some 70 percent of the grid’s key components are more than 25 years old, and most of them use older SCADA technologies that are readily hackable. In July, the DHS and FBI jointly issued an urgent report stating that, since May, hackers had been penetrating the computer networks of companies that operate nuclear power stations, other energy facilities, and manufacturing plants in the US and other countries. The threat is growing exponentially and could easily spin out of control.
Despite the fact that cyberattacks occur with greater frequency and intensity around the world, many either go unreported or are under-reported, leaving the public with a false sense of security about the threat they pose and the lives and property they impact. Infrastructure is becoming a target of choice among individual and state-sponsored cyberattackers who recognize the value of disrupting what were previously thought of as impenetrable security systems. This has served to demonstrate just how vulnerable cities, states, and countries have become.
In recent years, numerous forms of malware targeting SCADA systems have been identified, including Stuxnet, Havex, and BlackEnergy3. What these three forms of malware have in common is their ability to sneak through Industrial Control Systems (ICS) undetected by exploiting the weakest link in the cyber defense network (people) and posing as a legitimate e-mail or by finding a back door in the SCADA system. The power sector has already demonstrated itself to be particularly vulnerable and must dedicate substantially more resources to closing back doors and training employees to avoid clicking on malicious files.
While the majority of the equipment that comprises a SCADA system resides in the control center network behind firewalls, localized SCADA communication equipment directly connected to the ICS can be as vulnerable as the ICS themselves. A digital attack or intrusion on these localized communication systems can have a greater effect on the overall system and allow the attacker access to all ICS connected to them. This gives the attacker the ability to operate all ICS, creating broader systemic impact.
From the attacker’s perspective, exploiting features rather than bugs has a significant advantage, as they cannot be expeditiously repaired by a vendor releasing a patch. ICS with some protection against cyberattacks have been released, but the installation and upgrade cycle is long, and it cannot be guaranteed to be effective in new attack scenarios. Cyberthreats can damage equipment and simultaneously attack multiple locations, leading to extended long-term outages, with the need to replace or repair long-lead time equipment.
So, what can be done, apart from raising awareness to the problem, devoting more resources, and making actions to counter Virtual Terrorism compulsory instead of voluntary? Creating a more holistic approach to the problem, becoming proactive (instead of reactive) in thinking about how to address the problem, implementing routine cybersecurity audits, and creating teams of individuals dedicated solely to the problem inside companies is a good place to start. Budgets therefore need to be adjusted to devote more resources to addressing the problem across the board. Security and privacy risk mapping, benchmarking, and scenario planning should become a standard component of a cyber risk management protocol. Clearly, businesses, governments, and individuals must devote greater resources to becoming more cyber resilient.
Some 16 infrastructure sectors have been deemed ‘critical’ by the US government as obvious targets for virtual terrorism and are now regulated. The problem is, there is not yet a law requiring compliance, nor any penalties for a failure to comply. The same may be said about the fight against terrorism more generally. Both governments and companies are generally hesitant to implement strict security protocols to protect themselves, nor devote the resources necessary to getting the job done, without having experienced an attack. That must change, and soon.