1 November 2018

'Cyber Pearl Harbor' Unlikely, But Critical Infrastructure Needs Major Upgrade

Taylor Armerding

A high-voltage transformer and fire control system at power plant.

Top U.S officials have warned for decades of a “cyber Pearl Harbor” or “cyber 9/11” kind of attack on the nation’s critical infrastructure by a hostile nation state or terrorist group.

One of the latest came just this past July from Director of National Intelligence Dan Coats, who said “the warning lights are blinking red again,” in much the same way they were prior to the 9/11 attacks.

Yet, while there have been multiple cyberattacks on infrastructure in the U.S. and other parts of the world, especially during the past decade, none has taken down even major portions of the grid for weeks or months – a nightmare scenario envisioned in former Nightline anchor Ted Koppel’s 2015 book “Lights Out: A Cyberattack, a Nation Unprepared, Surviving the Aftermath.”


Why not? Is it that U.S. enemies, as much as they might want to, simply can’t do it because the nation’s infrastructure is really as diverse and resilient as many experts say it is? Or is it that they don’t really want to, given that if the U.S. goes dark, a lot of other nations’ economies will suffer greatly as well?

Not to mention that if they did it to us, we’d probably be able to do it to them, or unleash a conventional military attack.

“Can’t do,” seems less and less likely. Given recent reports and headlines, it seems more likely than not that a major attack is possible for well-organized, well-funded attackers.

Indeed, some expert minds have apparently changed during the past several years.

Bruce Schneier, author, blogger, encryption expert and chief technology officer at IBM Resilient has scoffed multiple times in the past at the “Pearl Harbor” or “9/11” imagery. “Throughout history, the definition of a ‘major war’ has involved casualties in the hundreds of thousands. That means dead people,” he said in 2013.

Interesting, then, that five years later he is talking about dead people in his new book, “Click Here to Kill Everybody.”

He acknowledges early on that the title is “hyperbole,” but one of his main themes is that since everything is not just becoming a computer but also a computer connected to the Internet, attacks with physical consequences are increasingly likely – not enough to kill everybody, but potentially lots of people.

He noted that the 2016 remote cyberattack on a power plant in Ukraine, allegedly by Russia, using CrashOverride, a malware designed to attack industrial control systems (ICS), was foiled by technicians who detected the attack, shut the plant down and manually restored power.

But the implications were clear – if a similar attack damaged the equipment and shut down power in the middle of winter, “this would be fatal for many people.”

Bottom line: “Now that everything is a computer, the threats are about life and property. Hackers can crash your car, your pacemaker or the city’s power grid. That’s catastrophic,” he wrote.

Indeed, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), within the Department of Homeland Security, has warned that ICS operators many times don’t even know if their systems are infected, don’t have effective security barriers in place and don’t have backups for critical systems.

Which falls right in line with the findings in a recent report from FireEye iSIGHT Intelligence, that at least 33 percent of the security vulnerabilities in ICSs are rated high or critical risk.

And those vulnerabilities are of the most basic variety: failure to patch, weak passwords, and flaws in architecture and network segmentation – in other words, failure to practice fundamental “security hygiene."

The reason? The same one that has been cited for more than a decade: ICSs were never intended to be connected to the internet, and now they are.

Still, a majority of experts say what they have said all along: ICS vulnerabilities are real and serious. They need to be fixed. And yes, there is technically a risk that major portions of the grid, or other critical infrastructure, could be taken down. But they say doomsday rhetoric is, to borrow from Schneier, “hyperbole.” That the chance of an attack that takes down the grid is beyond remote.

“We’re absolutely not close to a Pearl Harbor kind of attack,” said Michael Fabian, principal consultant at Synopsys.

“Yes, it’s possible. But doing something like that would unleash the conventional military might of the U.S. against them.”

Fabian added that, at least when it comes to nation-states, it would also be against their economic interests. “Business is doing really well all over the world right now,” he said.

But, like other experts, he agrees that ICS operators do need to improve their security - a lot. “Of course they do. They’re 10 years behind,” he said, noting that multiple reports have concluded that 90 percent or more of breaches could have been blocked with basic security measures.

So, given that the theme for the final week of National Security Awareness Month is “Safeguarding the Nation’s Critical Infrastructure,” why aren’t things improving?

Certainly not for a lack of rhetoric. For more than 20 years, presidents have been issuing executive orders on improving security in critical infrastructure: Bill Clinton in 1996, George W. Bush in 2001, Barack Obamain 2013 and Donald Trump in 2017.

But rhetoric hasn’t led to much action.

Joel Brenner, who has held senior posts at NSA and DNI, and David Clark, senior research scientist at the Internet Policy Research Initiative at MIT, issued a report in March 2017 on ICS vulnerabilities that they summarized in a post on the Lawfare blog: “Over a quarter-century this nation spent billions of dollars on cybersecurity for key infrastructure, yet we are less secure than we were 30 years ago.”

They made a number of recommendations that remain relevant today. While they wouldn’t make ICSs bulletproof, - nothing can – they would make them far more resilient:

- Isolate critical infrastructure networks from public networks.

- Build simpler, and more secure, hardware and software. “We know how to make simpler stuff, but no one will do it unless assured of a market. If the departments of defense, homeland security, and energy would support a market for more secure versions of commercial products, the demand would be there,” they wrote.

- Reduce the number of regulatory and compliance standards. As they put it, “A publicly traded electric utility, for example, must comply with differing and sometimes inconsistent cybersecurity standards issued by the National Institute for Science and Technology (NIST), by credit card issuers, by state and federal energy regulators, and by the SEC. This is overkill.”

But, of course, that will take money. Fabian said when there was money available from President Obama’s massive 2009 American Recovery and Restoration Act, there was considerable progress in improving infrastructure security.

“But when the money ran out, the smart grid pretty much died,” he said.

My freshman year of high school, I was required to take a language. I was interested in Japanese, but my dad convinced me to sign up for Spanish. My first day of school, I sat in Spanish class, looking across the hall longingly at the Japanese class. The students were having fun, and the teacher seemed really engaging. Later that day, I transferred into Japanese. My passion for the Japanese language and culture quickly took off. I was fascinated and spent days and nights studying to become fluent and understand their social customs.

My teacher told me about an immersion trip to Japan she led every few years. I was thrilled about the possibility of seeing what I had been studying come to life, that is, until she told me the cost. I would need $6,000 to go on the trip. I was really discouraged, because I didn’t have the money, but my teacher’s enthusiasm made me determined to find a way.

BIG DREAMS, HARD WORK

I began the job hunt to help me pay for the trip, and drove all around town applying. Although Taco Bell wasn’t originally on my radar, they offered me a position working the cash register, so I took it. On top of going to school every day and doing homework, I was working numerous hours a week to save money. It was hard, but the people made it easy. I felt truly supported by my managers, who helped me learn the ropes and instilled a positive culture among our team – we all had a lot of fun together. Not to mention, I had my sights set on Japan.

A few times a year, the Taco Bell Foundation National Fundraiser would come around. That meant asking customers to donate a dollar to support young people’s educational dreams through the Live Más Scholarship. I had my pitch down, and loved the idea that I was working for a company that cared about people’s education. What I didn’t know, was that I could be one of those people.

One day, my manager told me that I should apply for the Live Más Scholarship myself. He said that it’s open to employees working at Taco Bell restaurants, and all you have to do is submit a 2-minute video about your passion, and you could win $5,000-$25,000. It sounded great, but also sounded like a once-in-a-lifetime thing that you never actually win. Every day, my manager asked if I applied yet. I suppose his confidence in me made up for the lack of confidence I had in myself, and I finally gave in. Over a couple of days, and with the help of some friends, I created a video on my phone about my passion for studying Japanese, and applied.

THE BIG SURPRISE (x2)

A few months later, I was met at my restaurant by a team of Taco Bell corporate employees. They told me I needed to watch a training video, and handed me an iPad. I was a little confused, but turned on the screen, and couldn’t believe what I saw. It was Taco Bell team members in Japan telling me that I had won a $25,000 Live Más Scholarship. I burst into tears, imagining the impact that the money could have on my life. My family and friends were there to surprise me and celebrate. Then I learned that, not only had I won the scholarship, but also that the Taco Bell Foundation team was going to join and provide additional experiences on my immersion trip to Japan in July.

HANNAH TAKES ON JAPAN

Being in Japan for the first time, living and breathing everything I had studied for years, was amazing. I went with my class and teacher to Tokyo, Kyoto and Takayama, before meeting the Taco Bell team. In addition to exploring the sites and eating great food, the Taco Bell team connected me with some incredible opportunities. Knowing my dream was to one day become a teacher in Japan, they arranged for me to meet with an English teacher there, who motivated me to continue on my path. We also visited the Taco Bell restaurant in Japan and got to see the unique differences between our processes, atmosphere and food. It was an unforgettable adventure.

When I returned from Japan, I started Japanese and intercultural communications classes at Sacramento City College, but am hoping that, with my scholarship, I’ll be able to enroll in a 4-year college soon.

Now, when I ask customers to donate a dollar to help students pursue their educational passions, I love being able to put a face to the program and tell them that I am one of the winners getting the chance to live out their dreams. I also love being an example for my team members. One of my coworkers was inspired when I won and has already asked me to help with her application video this year.

I offered this advice to her, and I’d offer the same to others – life can get really hard sometimes, but if you stick with it, you may find yourself advancing to places you never thought you could. Two years ago, I never thought I’d actually be able to visit Japan – let alone guess that my job at Taco Bell would help lead me there! But now, this job that was once just a fast food gig for extra cash has become so much more than I ever expected – all because I didn’t give up. And I wouldn’t have it any other way.

No comments: