Is our infrastructure vulnerable to hackers? The short answer to the question, unfortunately, is yes. But it’s not like no one is thinking about the issue or doing anything about it. As with the dire predictions of Y2K meltdowns from the turn of the millennium, while there are definite and potentially huge risks, both the public and private sectors are working to mitigate them.
The Ukraine power grid attack in December 2015 was a sobering wake-up call of the extent of what is possible. In that event, which some security experts have called cunning and brilliant, the hackers planned the attack by infiltrating the power utility systems over a period of months. Using some old-school exploits like Microsoft Word file attachments with an infected macro that downloaded malware, and careful infiltration of the network stealing remote login credentials over time, the hackers were able to get control of the system to ultimately shut off power to 230,000 people in a cold winter.
The good news is that manual overrides were able to turn the power back on relatively quickly, but some parts of the Ukraine grid took longer to return. Russia is suspected to be behind that attack, given the tensions in the region, but the cyberwarfare world has both state and non-state actors. Russia, China, Israel, Iran, North Korea, and the US all have cyber units, and terrorist groups like ISIS and many other lesser known groups have engaged in cyberattacks for coercive, monetary, or political motives.
Part of the risk in cyber intrusions on infrastructure is the connection of these systems to the internet. Many ICS/SCADA (Industrial Control Systems/Supervisory Control and Data Acquisition) systems are based on older technology. The grafting of internet and networking capabilities to these systems enable remote monitoring and control, and sometimes end-customer access to utility usage and billing data. Sometimes, these newer forms of access are not adequately shielded from systems that control vital aspects of the utilities.
A case in point involved a Verizon report of a data breach at an unnamed water utility in the US in March. That utility’s SCADA platform was based on an IBM AS/400 minicomputer, a 1980s era system, and incorporated valve flow and control software as well as IT applications like customer billing. The system was connected to an end-customer online payment portal. Hackers exploited a flaw in the portal to gain access to the AS/400 admin credentials, essentially gaining control over almost all of its applications.
Aside from stealing 2.5 million customer account records, including billing information, what’s more frightening is that the hackers were able to gain control over the valve and flow software. They were able to control the chemicals in water treatment and affect the rate at which water was returned for usage. Fortunately, other indicators alerted the water utility’s staff of what was happening and that the system was overridden. But it’s clear that if a series of coordinated attacks were done on vital systems, the havoc would not be easy to contain.
Interestingly enough, some of these issues can be ameliorated by simply better use of existing technology. For example, many remote or VPN logins don’t use two-factor authentication – something increasingly deployed now on many consumer-facing services. This could help thwart many situations of hackers halfway around the world stealing passwords via various known means. Part of the reason is that, in many cases, locally run utilities have regulated rates and limited budgets, and often software upgrades are put off. The “if it ain’t broken, don’t fix it” mentality can delay necessary security improvements, especially when modifying older technology that may introduce new issues.
Another attacker exploit being discovered is infecting the software upgrade mechanisms of ICS/SCADA vendors. Just like Windows Update, these vendors have either manual or automated firmware and software upgrade mechanisms. So rather than break into a specific system, a hacker could plant malware in a software update. That malware may lurk in systems for months or years, ready to be triggered by some specific attack or time-based event.
Water and electric infrastructure may be particularly vulnerable due to the age of the systems and the universal dependence on these services. But obviously other infrastructure of critical importance may be equally vulnerable – transportation, energy, communications, and healthcare are others. There have been well publicized cases of ransomware attacks on hospital health record systems. While in several of those cases, the hospitals have quickly paid up relatively small sums (compared with the cost of not having their system back), in a cyberwar scenario the effects could be far costlier and deadlier. The Department of Transportation lacks a coherent cybersecurity strategy. With the push for smarter cities, more internet-connected city information and services, and a looming future of autonomous cars, the importance of best practices and standards for cybersecurity in transportation is increasing exponentially.
The Stuxnet worm virus, reported developed by Israel and the US, is said to have severely slowed Iran’s uranium enrichment development for a nuclear weapon. It is one of the best-known cases of states using cyber capabilities as an alternative to physical attack to reach an objective. We should be mindful that our own nuclear energy infrastructure needs to be better protected. A recent report indicates that attacks on U.S. non-military nuclear systems are increasing. Part of the problem is that there are contracts with vendors that deal with maintaining security, but many of these do not go into enough detail about monitoring, reporting, and performance metrics. Nuclear energy is heavily regulated, and security has always been taken seriously. But it is also an industry with aging infrastructure, and the same budget issues that apply to other utility infrastructure apply here as well.
Does all of this sound scary? It is, but the threats are being taken seriously. In this presidential election season, even the voting systems are also being considered. Considering the recent Democratic National Committee hacks, the Department of Homeland Security is looking into ways the election infrastructure can be better protected. Some of the concern comes from increasing use of wireless technology in voting machines to tabulate and aggregate voting data. It is a complicated task, with over 9,000 jurisdictions controlling voting across the country. But understanding potential threats and security best practices can limit the possibility of tampering with the system. Regardless of the severity of potential consequences, it’s impossible to protect against every threat, in either the cyber or physical world.
In time for Black Hat and DEFCON, we’re covering security, cyberwar, and online crime all this week; check out the rest of our Security Week stories for more in-depth coverage.