Imagine this scene:
You’re sitting at home one night, happily watching House of Cards on Netflix. Suddenly, the lights go out. You peek through your curtains and see…nothing.
Your whole neighborhood, plunged into blackness. But it’s not only your neighborhood, it’s your whole city. It’s your whole state.
Your power grid has been hacked.
Attacking Critical Infrastructures
Depending on the attack at hand, hackers may have infiltrated the network of your region’s power grid and are holding it ransom for hundreds of thousands of dollars. If this were to be the case, you can be sure that the attackers would have no intention of restoring power until the ransom fee is paid.
Or perhaps they have caused actual harm to the network in an effort to do a whole lot of damage to the economy, public morale and their targeted company all at once.
A Matter of National Concern
Industries such as energy, water treatment, gas and oil providers, telecom, financial, transportation, manufacturing and food production/agriculture, to name a few, are considered industries whose functionality is vital to national safety and/or security. Any attack or loss of service at one of the 16 Critical Infrastructure sectors can cause widespread damage, not only to the company at hand but to regular ol’ citizens in a matter of moments.
As scary as the idea of an attack to one of these sectors sounds, it’s not unprecedented. In December 2015 and again in December 2016, two separate power grids in the Ukraine were hacked. Though the lights went dark in both cases for just a few hours, some very real and dire questions were raised: Just how vulnerable are our nation’s critical infrastructures to attacks? Can attackers also target other critical infrastructures? Are these industries prepared for large scale attacks? How will the public be affected?
The Problem with ICS Networks
Turns out that attacks to critical infrastructures happen more often than most people would probably like to know.
The networks of critical infrastructures, called ICS networks, tend to be made up of a patchwork of technologies, some of which have been in place since the 60’s, and 70’s. Back then, companies didn’t have to worry about being connected to, and therefore exposed by, the Internet because it didn’t exist. As newer technology was introduced to make machine interfaces simpler for plant operators, often this new technology was just slapped on top of the already existing network. At their core, these networks were designed with userability, not security, in mind.
The result is that the networks that lead straight to our nation’s most critical assets are made up of layer upon layer of technologies that don’t always have the greatest level of interoperability. Moreover, since the process of shutting ICS networks down for any periods of time to update/upgrade software has always been considered intolerable, they often run on operating systems that have not been updated in many, many years. In some especially disturbing situations, these operating systems are no longer even supported by their developers, which can force plant operators to use unapproved work-arounds that can lead to even greater vulnerability. Clearly, this creates a situation rife with potential dangers.
The good news is that dispite the lack of security, attacks like these don’t happen every day. Typically, attacks to ICS networks are carried out by nation-state actors with political agendas (though not always) and they have other, preferred attack methods up their sleeves. But they are beginning to occur with greater frequency and that in and of itself is cause for alarm. Some recent attacks “victims” include:
- San Francisco’ s transportation system
- A German steel mill, which was partially blown up by hacked pumps
- A network of Polish trains, which was taken over by a teenager with a homemade device, injuring 12 passengers
- Houston’s water system
- New York City’s dam system, hacked by the Iranians
- Most famous of all, Stuxnet, the worm that shut down Iranian nuclear reactors at Natanz in 2010
The New Cybersecurity Executive Order
With experts warning that we have only begun to see the true force of ICS attacks, the government and even President Trump have taken notice. Last month, Trump signed a new Executive Order that places ICS vulnerabilities in the national spotlight. Now critical infrastructure companies will have to submit reports to Homeland Security who will then pass those reports off to the President’s Office to be evaluated for proper adherence to new standards. Regardless of what you think of his politics, this is a bold move in the right direction towards ensuring that the nation’s most sensitive resources remain secured. What experts hope to see is a gradual upgrading of security and awareness across Critical Infrastructure, one that will ultimately make us all more safe and secure.
The take home for you, sitting there watching Netflix?
The kind of sad, kind of relief-inducing truth is that there isn’t much you can do, save for pooling your money and buying a power plant just so you can make sure it’s up to snuff. On the other hand, vulnerabilities in critical infrastructures have the ability to affect each and every one of us in a scary way, so it’s important to be aware of what’s at stake.