The most destructive hackers of critical U.S. infrastructure don’t come from Russia or China. They aren’t malicious kids with too much free time. They aren’t even human; they’re squirrels.
Wire-chewing rodents and other animals cause an estimated 200 U.S. power outages a year. The current tally for cyberattack-induced power disruptions is zero. And yet security experts agree that the computer systems controlling the electrical power grid, water treatment and control facilities, and gas and oil pipelines are extremely vulnerable to cyberattacks.
In “industrial control systems,” says Dan Scali, senior manager of industrial control systems at the Mandiant division of security company FireEye, there are often “bugs and flaws in the software the manufacturer wrote, [and] in how the software handles communication. There’s a lack of authentication, lack of encryption. These things we take for granted with our bank.”
An attack on the Ukrainian power grid earlier this year, the first known successful hacker takedown of a power grid, put a spotlight on infrastructure vulnerabilities. It also prompted many to ask why we haven’t seen a major cyberattack against critical U.S. infrastructure systems.
“We are essentially defending from high-impact, low-frequency incidents.” — Bryan Owen, cybersecurity manager, OSISoft
The answer, it turns out, is nearly as complicated as the systems themselves. Geopolitical tensions, limitations and redundancies in critical infrastructure hardware, and network vulnerabilities actually make it hard to take down the power grid.
Hacker motivations are another factor.
“Taking down major infrastructure on a national or regional level harms the bad guys as much as the good guys,” says Richard Forno, director of the Graduate Cybersecurity Program at the University of Maryland at Baltimore County. “The Russians [could] shut down the power grid. But if they shut it down, they won’t be able to track us.”
Power grid is more resilient than it looks
Hacking a power plant to prevent it from generating electricity and cause societal disruption, for example, is far more difficult than hacking a phone or laptop, says Sean McBride, lead analyst of critical infrastructure for iSight, a threat intelligence company recently acquired by FireEye.
“The electrical grid is made of so many independent systems that creating a widespread outage is not trivial,” McBride says. “A cyberattack that takes out a significant portion of the grid is not an easy cyberattack.”
Systems supporting the power grid include those that generate, transport, and distribute electricity to industrial, commercial, and residential buildings. Each has a different set of hardware and software, with potentially different security protocols and network configurations, not to mention hardware redundancies in case electricity generation is interrupted. Maneuvering through each security or redundancy layer—and knowing which protocols are in place on sometimes decades old, poorly documented hardware—is far from trivial.
“We are essentially defending from high-impact, low-frequency incidents,” says Bryan Owen, who for 20 years has worked as a cybersecurity manager at OSISoft, which makes software for industrial control systems and other infrastructure hardware. “Of four recent case studies I presented at the SANS ICS Summit, only one reached the industrial control system network. It was an espionage campaign on a soft target; [a] major takedown wasn’t a possible impact.”
Geopolitical tensions might provide motivation and resources to hackers, but they don’t guarantee that a successful attack would have a larger impact than a natural event like an earthquake or hurricane, Scali says. “That would mean maybe rolling blackouts, or two weeks to bring the power back on in New York City. It’s not more significant than a severe weather event.”
No easy fix for critical infrastructure
Despite the challenges attackers face in crippling or even just disrupting critical infrastructure, experts caution that those systems are dangerously exposed and should be made more secure as fast as possible.
McBride and Scali say many critical infrastructure operators aren’t aware of everything operating on their computer networks. They don’t know if the manufacturer of the hardware, such as a sensor or controller, has built a backdoor into it. They might not even have the ability to observe their own network traffic. And many operators, they say, allow engineers to use the same laptop on the corporate network and the hardware control network, potentially exposing the control system hardware to the open Internet.
Addressing these vulnerabilities is difficult. There’s a lack of consensus in the U.S. Congress about how to support infrastructure equipment upgrades and best security practices. There is a lack of oversight among operators about what is happening on on their networks. There’s also a lack of incentive for reporting failed attacks or “near-misses.”
The overarching concern is that a gaping hole of insight into how the systems that provide our power, water, gas, and oil are connected to public computer networks is exacerbating existing vulnerabilities.
“If you don’t want to be eaten by lions,” Forno says, “don’t walk into the lion’s den with steaks taped over your body.”