Cyber Attacks Against Critical Infrastructure Are No Longer Just Theories

Imagine the U.S. is shrouded in darkness. Transportation systems have failed, commerce has ground to a halt, thousands have died and unrest is breaking out as public services fail. It all started with hackers – backed by a hostile nation – shutting down the U.S. power grid.

Within the security industry and across government, we have long discussed nightmare scenarios caused by cyber attacks against critical infrastructure; however, only now do these scenarios seem likely. Recently, National Security Agency director Admiral Mike Rodgers described threats against critical infrastructure as a matter of “the when, not the if...”[1]

Critical infrastructure sectors, from financial services to transportation to healthcare, all depend on massive information technology networks. Many of the cyber defenses used by critical infrastructure owners and operators to ward off attacks are outdated and ineffective. These systems remain highly vulnerable to hackers, who could gain control of nuclear plants, railways and any number of other vital systems.

Unfortunately, the frequency of attacks against critical infrastructure is increasing at an alarming rate.

In 2015, a cyber attack on Ukraine’s power grid left 700,000 people without electricity for several hours.[2] Alarmingly, the actors behind this attack were previously seen conducting attacks against the U.S. energy sector, prompting an alert by the Industrial Control Systems Computer Emergency Response Team (ICS-CERT) in 2014. Though disruption never occurred in the U.S., this was believed to be reconnaissance for a potential future attack.

The U.S. hasn’t escaped all disruptive attacks, however. In March 2016, the U.S. Justice Department indicted seven hackers tied to the Iranian regime.[3] These hackers staged a coordinated cyber attack that targeted 46 major financial institutions and a dam outside of New York City.

On the topic of U.S. water systems, Verizon investigators recently reported on cyber intrusions where actors were able to alter settings related to water flow and the amount of chemicals used to treat the water – perhaps the most unspeakable of scenarios.

The fact is that cyber attackers have repeatedly targeted U.S. critical infrastructure. U.S. industrial control systems were threatened by cyber attacks at least 245 times over a 12-month period, according to a 2014 report from the ICS-CERT.[4]

Despite the increasing frequency of cyber attacks targeting critical infrastructure, these otherwise highly-regulated industries have few protocols in place to protect against cyber security breaches. According to a report from the Government Accountability Office, nearly all of the critical infrastructure industries lack adequate cyber security metrics.[5]

Take the U.S. transportation system, for example. The Department of Transportation (DOT) has hundreds of thousands of regulations; however, DOT currently has no concrete cyber security plan in place – and that is despite the fact that DOT’s IT network is one of the federal government’s largest.[6] [7]

Or consider the chemical industry. It has tight sector-wide regulations on everything from occupational safety to environmental protection, yet even though the Department of Homeland Security recognized cyber-attacks as a major threat to the industry in 2010, cyber security regulations are still only managed at the company or facility level.[8]

With few regulations in place, it has become increasingly important for these industries to assess their environments and cyber security risk. One way to do that is through compromise assessments or Industrial Control System (ICS) assessments. These tests search the environment to identify whether or not a hacker is currently in the system.[9] If a breach is identified then the organization can work to stop it and secure their system before any valuable information is taken.

Organizations could also perform “red team” operations. In this assessment, a team of experts attempts to hack into an environment and, if successful, they can then reverse engineer security features to make sure that a real hacker cannot gain access to the system.[10]

Our nation’s critical infrastructure is at risk. As recent events have demonstrated, these cyber attacks are no longer just conceptual – they are very real and have the potential to be extremely dangerous. When it comes to assessing cyber security and improving cyber defenses for critical infrastructure, there is no time to waste.

[1] http://www.newsweek.com/china-could-shut-down-us-power-grid-cyber-attack-says-nsa-chief-286119 [2] http://foreignpolicy.com/2016/01/08/did-russia-knock-out-ukraines-power-grid/ [3] http://www.politico.com/story/2016/03/us-indicts-iranians-in-cyber-attacks-on-dam-221196 [4] http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/critical-infrastructures-west-hemisphere.pdf [5] http://thehill.com/policy/cybersecurity/260963-feds-lack-method-to-grade-critical-infrastructure-cybersecurity [6] https://www.regulations.gov/#!searchResults;rpp=25;po=0;cat=AD [7] https://www.transportation.gov/cio [8] https://www.dhs.gov/sites/default/files/publications/nipp-ssp-chemical-2015-508.pdf, p. 11 [9] https://www.fireeye.com/services/mandiant-compromise-assessment.html [10] https://www.fireeye.com/services/red-team-operations.html