Electricity, potable water, natural gas, telephone and the internet are expected to be omnipresent in our lives. We flick the switch and the lights should come on, turn the tap and water we can drink comes out, turn on the burner and we can fry the egg, pick up the phone and have dial tone and open our browser and connect to the rest of the world. All of this comes to us via an established infrastructure which may have been designed years in the past and cobbled together as science and technology advanced. What if these pieces of our critical infrastructure became unavailable?
when critical infrastructure crashes
The fictional film, “Blackhat” begins with a cyber-attack on a Japanese nuclear power plant, resulting in a portion of plant exploding affecting the national grid. Ted Koppel’s book, “Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath” released in October 2015, demonstrated a healthy dose of prescience, as it outlines how unprepared the United States with respect to our critical infrastructure.
In December 2015 we witnessed a large segment of the Ukrainian national electric grid being taken down. The attack, according to ESET, utilized the Black Energy Trojan. The security analytic community notes the execution of the Trojan was made possible through a combination of social engineering and cyber-attack. It drives home the need to pay attention.
“This has been a real possibility for a while now; the hackers are using an old, longstanding vulnerability (humans) to start attacking networks in ways that have not been done before…using social engineering to build a path for planting malware in energy grid systems,” Rebecca Herold, a leading information security and privacy expert, notes.
Herold has been working within the NIST since 2009 researching smart grid issues and notes, “many utilities involved, and common resistance arguments from many of them is that implementing security (and privacy) controls are not necessary, and would be too expensive and drive electricity prices up.” She goes on to say how “training could very well have prevented this social engineering attack from being successful.”
When it comes to who’s behind these attacks, once again international law lags behind the current cyber threat landscape.
“We need to be cautious in attributing any cyber- attack to a state actor because international law only applies to governments,” noted Jeffery Carr, author of Inside Cyber Warfare.
Defense Critical Infrastructure
This is not a new topic. Government Accounting Office (GAO) reports dating back to October 1999, in the midst of the “Millennium Bug” or “Y2K” threat, have been hitting the warning klaxon, signaling “our national infrastructure is at risk.” Indeed, the GAO zeroed in on the fragility of the US Department of Defense critical infrastructure in their 2009 report, “Defense Critical Infrastructure”. The report’s seven recommendations could have been written yesterday:
- Complete Defense Critical Infrastructure Program vulnerability assessments, as required by DOD Instruction 3020.45, on all of DOD’s most critical assets by October 2011.
- Develop additional guidelines, an implementation plan, and a schedule for conducting Defense Critical Infrastructure Program vulnerability assessments on all non-DOD-owned most critical assets located in the United States and abroad in conjunction with other federal agencies, as appropriate, that have a capability to implement the plan.
- Establish a time frame for the military services to provide the infrastructure data required for the Public Works Defense Infrastructure Sector Lead Agent—the U.S. Army Corps of Engineers— to complete its preliminary technical analysis of public works (including electrical system) infrastructure at DOD installations that support DOD’s most critical assets.
- Finalize guidelines currently being developed to coordinate Defense Critical Infrastructure Program assessment criteria and processes more systematically with those of other DOD mission assurance programs.
- Develop explicit Defense Critical Infrastructure Program guidelines for assessing the critical assets’ vulnerabilities to long-term electrical power disruptions.
- Develop a mechanism to systematically track the implementation of future Defense Critical Infrastructure Program risk management decisions and responses intended to address electrical power–related risks and vulnerabilities to DOD’s most critical assets.
- Ensure for DOD-owned most critical assets, and facilitate for non-DOD owned most critical assets, that asset owners or host installations of the most critical assets, where appropriate, reach out to local electricity providers in an effort to coordinate and help remediate or mitigate risks and vulnerabilities to electrical power disruptions that may be identified for DOD’s most critical assets.
While the DOD infrastructure is being addressed, the government remains reliant on private sector energy generation. The use of small nuclear reactors as a potential solution to DOD self-reliance with respect to providing energy to critical infrastructure is being considered for an “off-grid” solution.
PPD-21
But what of the remainder of the nation, not associated with DOD? The 2013 Presidential Policy Directive — Critical Infrastructure Security and Resilience (PPD-21) addresses the need for “national unity of effort to strengthen and maintain secure, functioning, and resilient critical infrastructure.” The PPD-21 places the nation’s energy critical infrastructure under the remit of Department of Energy (DOE). Unfortunately, according to a September 2015 piece in ComputerWorld”, “…the DOE was attacked 1131 times in four years; attackers breached the DOE 159 times with 53 of those cyber-attacks resulting in root compromises.”
Clearly the U.S. as a whole has its work cut out for it. The path ahead is one where investment in information security infrastructure may truly make the difference between being able to keep the lights on or going dark.