9 January 2018

Why A Cyberattack Could Cause Infrastructure To Fall Like Dominoes


BY CARL HERBERGER 

In February of 2017, a strong windstorm knocked down power lines in Wyoming, forcing water and sewage treatment plants to operate on backup generators. The pumps that moved sewage from low-lying areas to the treatment plants on higher ground didn’t have backup power. As inclement weather prolonged the outages, the sewers backed up. Authorities cut water service to the area. The hope was simple: Without water, there’d be no waste. A strong windstorm in Wyoming can tell us quite a bit about the worst effects of cyberwar. While government officials tasked with disaster planning have long focused on the cascading effects of power outages from natural disasters, only recently have they realized the effects of cyber warfare could be quite similar. In fact, natural disasters serve as excellent examples of the unforeseen consequences that a cyberattack against infrastructure will have.

Cascading Effects

Earlier this year, the U.S. Naval War College held a war game to examine the effects of cyberattacks on critical infrastructure and showed that “c ross-sector dependencies on electricity, transportation, and wastewater systems made significant attacks on these sectors exponentially more deleterious .” The full results of the Naval War College’s war game aren’t available yet, but a review of disaster planning research can give examples of the way prolonged power outages could drive consequences few consider.

Imagine, for example, a hypothetical DDoS attack leads to a shutdown of a major urban water system. Many of the controls used to cool computer systems and power generating systems and telecommunications systems rely on water. If water cannot be pumped, these systems might turn to backups, which might be limited. That could lead to both a power outage, and a telecommunications outage. That, in turn, would lead to diminished cell phone and internet traffic. Nearly 70 percent of the food Americans eat passes through a vast network of refrigerated warehouses. With no power and no communications, the logistics teams that keep track of that food would have no way to keep their products cool and no way to coordinate delivery to other warehouses.

Attacks on infrastructure aren’t, however, a mere hypothetical. Just last year, dozens of U.S. utility companies were compromised by an organized hacking group to such an extent that the hackers could have shut them down. And in the Ukraine, hackers in 2015 and 2016 disrupted the power grid, causing hundreds of thousands to lose power.
Who Would Do Such a Thing?

The biggest motive for cyberattacks over the past few years has been financial gain. Hackers shut down a network and demand a ransom before halting an attack or giving the victim access to their network. With profit in mind, companies that, presumably, have the cash to pay ransoms are typically the target. But infrastructure operators can be victims of hackers facing any number of motivations, including money, politics or vandalism. There are strong indications that bigger and more organized actors — in some cases nation-states — have probed U.S. nuclear power plants, a dam in New York and a network that sits at the center of the global banking system. 

Fear of retaliation is likely the best explanation for why a major attack hasn’t occurred. Those who have the means are likely just as vulnerable. They might want to shut down a major power grid in a target country, but the possibility that the same attack or worse could be perpetrated against them acts as a deterrent. Even more concerning is the threat that cyber-sniping could lead to conventional warfare.
A Stronger Defense

The demands of business — agility, mobility and constant connectedness — have translated to infrastructure networks that are no longer closed loops, as they were a decade ago. Companies can now gain access to data analytics to constantly measure and optimize machinery performance, saving time and money. And while these advances have certainly resulted in clear gains, they have opened up new attack vectors for malicious attackers.

Just as we’ve seen with countless examples of consumer IoT devices being hacked, when connected technology is introduced to devices and security is left out of the equation, the consequences can be harsh. We must ask ourselves serious questions about whether we are able to protect transportation systems, our financial sector and other critical infrastructure from cyber threats.

Modern society is built around connected infrastructure services. At the end of the day, the complexity and security of our infrastructure, and its interdependence with other systems, requires close attention — more than it has gotten until now.

Carl Herberger is vice president of security at Radware, which provides and cybersecurity services to data centers.

No comments: