Natural disasters serve as excellent examples of the unforeseen consequences that a cyber-attack against infrastructure will have. Take for example a strong windstorm in Wyoming in February 2017. The storm knocked down power lines, forcing water and sewage treatment plants to operate on backup generators, which weren’t available to some of the pumps that moved sewage from low-lying areas to higher ground. As a result, the sewers backed up after the weather continued to prolonged the outage. While government officials tasked with disaster planning have long focused on the cascading effects of power outages from natural disasters, only recently have they realized the effects of cyber warfare could be quite similar.
Earlier this year, the U.S. Naval War College held a war game to examine the effects of cyberattacks on critical infrastructure. The result was that “cross-sector dependencies on electricity, transportation, and wastewater systems made significant attacks on these sectors exponentially more deleterious.”
A review of disaster planning research can give examples of the way prolonged power outages could drive consequences few would consider.
Imagine a hypothetical DDoS attack shuts down a major urban water system. Many of the controls used to cool various systems rely on water. If water cannot be pumped, these systems might turn to backups, which might be limited. That could lead to both a power outage, and a telecommunications outage. That, in turn, would lead to diminished cell phone and internet traffic.
Nearly 70 percent of the food Americans eat passes through a vast network of refrigerated warehouses. With no power and no communications, the logistics teams would have no way to keep their products cool and no way to coordinate delivery to other warehouses.
Attacks on infrastructure aren’t just a mere hypothetical. Just last year, dozens of U.S. utility companies were compromised to such an extent that the hackers could have shut them down. In the Ukraine, hackers disrupted the power grid two years in a row, causing hundreds of thousands to lose power.
Who Would Do Such a Thing?
Infrastructure operators can be victims of hackers facing any number of motivations, including money, politics or vandalism. The biggest motive for cyberattacks over the past few years has been financial gain – with profit in mind, companies that most likely have the cash to pay ransoms are typically the target. However, there are strong indications that bigger and more organized actors have probed U.S. nuclear power plants, a dam in New York and a network that sits at the center of the global banking system.
Fear of retaliation is likely the best explanation for why a major attack hasn’t occurred. Attackers might want to shut down a major power grid in a target country, but the possibility that the same attack or worse could be perpetrated against them acts as a deterrent. Even more concerning is the threat that cyber-sniping could lead to conventional warfare.
A Stronger Defense
Modern society is built around connected infrastructure services. At the end of the day, the complexity and security of our infrastructure, and its interdependence with other systems, requires close attention — more than it has gotten until now.
The demands of business have translated to infrastructure networks that are no longer closed loops, as they were a decade ago. Companies can now gain access to data analytics to constantly measure and optimize machinery performance, saving time and money. And while these advances have certainly resulted in clear gains, they have opened up new attack vectors for malicious attackers.
Just as we’ve seen with countless examples of consumer IoT devices being hacked, when connected technology is introduced to devices and security is left out of the equation, the consequences can be harsh. We must ask ourselves whether we are truly able to protect transportation systems, our financial sector and other critical infrastructure from cyber threats.
Read “2017-2018 Global Application & Network Security Report” to learn more.
Carl is an IT security expert and responsible for Radware’s global security practice. With over a decade of experience, he began his career working at the Pentagon evaluating computer security events affecting daily Air Force operations. Carl also managed critical operational intelligence for computer network attack programs to aid the National Security Council and Secretary of the Air Force with policy and budgetary defense. Carl writes about network security strategy, trends, and implementation.