Our Critical Infrastructure Safety, a Cautionary Tale
By Carolyn Crandall
Critical infrastructure Cyber Attack
Millions of people throughout the greater Los Angeles area have been left without power, running water or communication in the wake of what is certainly one of the worst disasters in recent American history. It is not the first major cyberattack of U.S. infrastructure but certainly the worst, and one that has been predicted for years. Nevertheless, incident response teams across LA business and government were caught unprepared. Despite “red alert” attention, there is no word on when systems will be completely restored due to widespread impact to businesses, government agencies, educational institutions, and individual well-being. The city remains paralyzed as the depth of the cyberattack and recovery plans are still too large to be completely understood.
This would be a news story none of us would want to read. And yet the threat of cyber-attacks is very real, according to the U.S. Department of Homeland Security. You may be wondering what could cause such devastation and impact… nuclear plant malfunction, energy grid or generator takedown, IoT or core infrastructure that shuts down traffic control systems or navigation systems causing a plane crash in central LA or a sports stadium lock-down with chemical warfare. All of these and more could realistically happen, in the connected world that we live in.
The number of cyber-attacks that target industrial control systems for automated industrial machines has increased nearly 50 % between 2012 and 2015, according to the department.
The warnings go back years. James Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS), told CBS’s “60 Minutes” in November 2009, that if major electrical generators went down, it would require three or four months just to order replacements. “It’s not like if we break one, we can go down to the hardware store and get a replacement,” he said.
The first major attack occurred six years ago. Here is an excerpt from Kim Zetter’s book Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. “In January 2010, inspectors with the International Atomic Energy Agency visiting the Natanz uranium enrichment plant in Iran noticed that centrifuges used to enrich uranium gas were failing at an unprecedented rate. The cause was a complete mystery—apparently as much to the Iranian technicians replacing the centrifuges as to the inspectors observing them.”
“Five months later a seemingly unrelated event occurred. A computer security firm in Belarus was called in to troubleshoot a series of computers in Iran that were crashing and rebooting repeatedly. Again, the cause of the problem was a mystery. That is, until the researchers found a handful of malicious files on one of the systems and discovered the world’s first digital weapon.”
“Stuxnet, as it came to be known, was unlike any other virus or worm that came before. Rather than simply hijacking targeted computers or stealing information from them, it escaped the digital realm to wreak physical destruction on equipment the computers controlled.”
What was particularly chilling about this attack was the fact that the hackers did not use any special tools to do this, but instead used common methods such as spear phishing and malware that they could purchase on the black market.
In 2012, former Secretary of Defense Leon Panetta said that a major cyberattack could amount to a “cyber Pearl Harbor.” Panetta also said at the time that the U.S. was at “a pre9/11 moment.”
The topic hit front pages and major TV news shows last year because retired ABC TV “Nightline” anchor Ted Koppel wrote a book, “Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath,” in which he contended that not only is the nation’s critical infrastructure vulnerable to cyberattacks, but that multiple hostile nation states had already breached those systems and that the U.S. had no plan in place to cope with a catastrophic attack.
During 2015, several cases were reported of energy companies being attacked by malware dubbed Laziok, used to collect data on compromised systems, including machine name, CPU details, RAM size, hard disk size and what antivirus software was installed.
With this information, cybercriminals could determine if the computers were viable targets for future attacks. What was particularly alarming about these cases is that the attacks were based on emails containing an attachment that exploited Microsoft Windows vulnerability and although a patch for this vulnerability was created in April 2012, three years earlier, many industries had not applied it yet.
Last December, a well-coordinated hack cut power to 225,000 people in the Ukraine. It began with a phishing email containing a malware-rigged attachment. In this case, Word Documents and Excel spreadsheets that when opened by users in the companies’ business network, dropped BlackEnergy3 malware that lurked around and stole legitimate user credentials. In perhaps one of the most alarming findings, the Ukraine power grid attackers had hidden in plain sight for six months, gradually gathering enough intelligence and knowledge to figure out how to access and manipulate the system and turn out the lights.
This year, Verizon reported a water treatment plant infiltration where hackers were able to change the levels of chemicals being used to treat tap water, raising the possibility of sickness or even death. A “hacktivist” group with ties to Syria was blamed. The same hack also resulted in the exposure of personal information of the utility’s 2.5 million customers. Illustrating the problem with many infrastructures, Verizon says the breach happened as the water company had been using operating systems over a decade old to run its entire IT network, and because the entire IT network relied on a single ancient IBM Application System/400 (AS/400) server, released back in 1988.
Director of National Intelligence James Clapper essentially admitted that U.S. infrastructure has been breached, “Foreign actors are reconnoitering and developing access to US critical infrastructure systems, which might be quickly exploited for disruption if an adversary’s intent became hostile,” he has said. Clapper named hostile nation states including Russia, China, Iran and North Korea, but especially Russia, which he said has developed the capability to remotely hack at least three ICS vendors, “so that customers downloaded malicious software designed to facilitate exploitation directly from the vendors’ websites,” he said.
So this is one more chapter in a cautionary tale we should all take heed to. Although many may believe that a catastrophic attack is unlikely, most experts agree, that it is very much a possibility. We saw this problem some time ago, as did many of our infrastructure customers both here, in the Middle East, and across the globe. It’s why Attivo developed deception-based threat detection for SCADA industrial control systems and IoT solutions for the growing world of connected devices. The stakes are high for attacks on critical infrastructure and as a society, we need to do everything within our means to ensure that these systems, despite their vulnerabilities, are safeguarded with measures to prevent, detect, and defend against an attacker.