Most of us take it for granted that services such as power, water, oil and gas pipelines, and information and transportation networks will be available when we need them. But what about “cyber warfare”? What might happen if critical components of our utility infrastructure came under attack from hackers using the Internet to wreak havoc? That’s the question many experts are wrestling with and who caution that cybersecurity threats and some very real dangers exist.
This isn’t a new issue.
Hackers and cybersecurity threats have been around since the dawn of the Internet, and cyber-attacks on critical infrastructure facilities have, thankfully, been relatively rare. However, according to the U.S. Government Accountability Office, this new breed of warfare could threaten the nation’s security, cause mass casualties and weaken the economy. As a consequence, governments around the world, including the United States, are now establishing specialized military units in an effort to counter the threat.
Despite this, there are some who believe the United States is seriously under-protected against the threat of cyber warfare. One of the difficulties in dealing with this issue is the fact that a cyber-assault would be relatively easy to launch. A single hacker, without any network or government agency support, could theoretically change a single line of code, which could potentially do great damage. According to The Global State of Information Security® Survey 2014, conducted by PwC, employees (current and former) in the utility sector made up 68% of the individuals most likely to perpetrate a security incident.
Small Changes Could Lead to Big Disruptions
A small change has the potential to cause cascading failures throughout our intertwined infrastructure system. Robert Bea, risk assessment expert and professor at the University of California at Berkley, explains: “Should one piece of a system fail, you end up with these cascades, sort of like a game of dominos. It doesn’t take anything horribly catastrophic to initiate an infrastructure disaster. Using cyber-attack methods, individuals with malicious intent could determine the most efficient way to trigger multiple infrastructure failures.”
Bea likened the effect of a cyber-attack to that of a natural disaster. “The best reference for me will be Hurricane Katrina and the flood protection system for the greater New Orleans area ... Katrina caused a cascade of infrastructure failures that affected the city for months, years. Some are still not working properly.”
Where Are We Vulnerable?
We’ve come this far. Now let’s talk about the vulnerabilities in our own infrastructure systems. Here are some that come immediately to mind:
- Human. Yes, we are the first vulnerability. Employees and contractors who access the critical infrastructure systems are not aware and/or educated enough on the basic principles of information security.
- Design. Many critical infrastructure systems were created before the advent of the Internet and were never designed to be secure.
- Passwords. A surprising number of systems use passwords hardcoded by the manufacturer, which are available to hackers via a Google search. Amazing, isn’t it? Yet unchanged default usernames and passwords are still present in many systems.
- Workstations. An employee who uses a company workstation for private emails and Internet browsing could inadvertently introduce a malicious link into the critical infrastructure company’s system.
- Spearphishing. Hackers posing as colleagues send e-mails to an employee of a utility asking them to log in to a linked site. If the employee unwittingly logs in, the hacker can harvest their personal information and potentially gaining access to the critical infrastructure company’s systems.
- Networks. Hackers are able to seek out vulnerabilities in networks using tools intended for information security experts to test the integrity of systems.
Not everyone ascribes to the theory that cyber warfare is imminent. Some say the authorities are exaggerating the threat to justify increased privacy intrusions. Whatever your view, it likely makes sense to at least consider the possibilities and potential weaknesses and threats posed, and the challenges facing our aging critical infrastructure system.
Where do you stand on this one? Scare tactics by the authorities or a very real threat that system designers, utility companies and governments need to take very seriously? Or is it somewhere in between?
Jerome Farquharson oversees the compliance and critical infrastructure department in Burns & McDonnell’s St. Louis office. He regularly performs cyber and physical risk assessments for utilities and has extensive knowledge of current government regulations, including NERC Reliability and CIP standards. You can learn more about Jerome’s experience and connect with him on LinkedIn.