Posted by Taylor Armerding on October 31, 2018
Officials have warned for decades of a “cyber Pearl Harbor” or “cyber 9/11” kind of attack on the nation’s critical infrastructure. Yet no attack has come. It’s either because our attackers can’t do it or haven’t really wanted to so far—and “can’t” seems less likely every day. Are we prepared for what’s next?
The original version of this article was published in Forbes.
Top U.S. officials have warned for decades of a “cyber Pearl Harbor” or “cyber 9/11” kind of attack on the nation’s critical infrastructure by a hostile nation-state or terrorist group.
One of the latest came just this past July from Director of National Intelligence Dan Coats, who said, “The warning lights are blinking red again,” in much the same way they were prior to the 9/11 attacks.
The warning lights are blinking red again.
—Dan Coats, director of national intelligence
Yet, while there have been multiple cyber attacks on infrastructure in the U.S. and other parts of the world, especially during the past decade, none has taken down even major portions of the grid for weeks or months—a nightmare scenario envisioned in former Nightline anchor Ted Koppel’s 2015 book Lights Out: A Cyberattack, a Nation Unprepared, Surviving the Aftermath.
Why not? Is it that U.S. enemies, as much as they might want to, simply can’t do it because the nation’s infrastructure is really as diverse and resilient as many experts say it is? Or is it that they don’t really want to, given that if the U.S. goes dark, a lot of other nations’ economies will suffer greatly as well?
Not to mention that if they did it to us, we’d probably be able to do it to them, or unleash a conventional military attack.
“Can’t do” seems less and less likely. Given recent reports and headlines, it seems more likely than not that a major attack is possible for well-organized, well-funded attackers.
Indeed, some expert minds have apparently changed during the past several years.
Bruce Schneier, author, blogger, encryption expert, and chief technology officer at IBM Resilient, has scoffed multiple times in the past at the “Pearl Harbor” or “9/11” imagery. “Throughout history, the definition of a ‘major war’ has involved casualties in the hundreds of thousands. That means dead people,” he said in 2013.
Interesting, then, that five years later he is talking about dead people in his new book, Click Here to Kill Everybody.
He acknowledges early on that the title is “hyperbole,” but one of his main themes is that since everything is becoming not just a computer but also a computer connected to the internet, attacks with physical consequences are increasingly likely—not enough to kill everybody, but potentially enough to kill lots of people.
He noted that the 2016 remote cyber attack on a power plant in Ukraine, allegedly by Russia, using CrashOverride, a malware designed to attack industrial control systems (ICS), was foiled by technicians who detected the attack, shut the plant down, and manually restored power.
But the implications were clear—if a similar attack damaged the equipment and shut down power in the middle of winter, “this would be fatal for many people.”
Bottom line: “Now that everything is a computer, the threats are about life and property. Hackers can crash your car, your pacemaker or the city’s power grid. That’s catastrophic,” he wrote.
Indeed, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), within the Department of Homeland Security, has warned that ICS operators many times don’t even know if their systems are infected, don’t have effective security barriers in place, and don’t have backups for critical systems.
Which falls right in line with the findings in a recent report from FireEye iSIGHT Intelligence that at least 33% of the security vulnerabilities in ICSs are rated high or critical risk.
And those vulnerabilities are of the most basic variety: failure to patch, weak passwords, and flaws in architecture and network segmentation—in other words, failure to practice fundamental “security hygiene.”
The reason? The same one that has been cited for more than a decade: ICSs were never intended to be connected to the internet, and now they are.
Still, a majority of experts say what they have said all along: ICS vulnerabilities are real and serious. They need to be fixed. And yes, there is technically a risk that major portions of the grid, or other critical infrastructure, could be taken down. But they say doomsday rhetoric is, to borrow from Schneier, “hyperbole.” That the chance of an attack that takes down the grid is beyond remote.
“We’re absolutely not close to a Pearl Harbor kind of attack,” said Michael Fabian, principal consultant at Synopsys.
“Yes, it’s possible. But doing something like that would unleash the conventional military might of the U.S. against them.”
Fabian added that, at least when it comes to nation-states, it would also be against their economic interests. “Business is doing really well all over the world right now,” he said.
But, like other experts, he agrees that ICS operators do need to improve their security—a lot. “Of course they do. They’re 10 years behind,” he said, noting that multiple reports have concluded that 90% or more of breaches could have been blocked with basic security measures.
So, given that the theme for the final week of National Cybersecurity Awareness Month is “Safeguarding the Nation’s Critical Infrastructure,” why aren’t things improving?
Certainly not for a lack of rhetoric. For more than 20 years, presidents have been issuing executive orders on improving security in critical infrastructure: Bill Clinton in 1996, George W. Bush in 2001, Barack Obama in 2013, and Donald Trump in 2017.
But rhetoric hasn’t led to much action.
We are less secure than we were 30 years ago.
—Joel Brenner and David Clark, Keeping America Safe: Toward More Secure Networks for Critical Sectors
Joel Brenner, who has held senior posts at NSA and DNI, and David Clark, senior research scientist at the Internet Policy Research Initiative at MIT, issued a report in March 2017 on ICS vulnerabilities that they summarized in a post on the Lawfare blog: “Over a quarter-century this nation spent billions of dollars on cybersecurity for key infrastructure, yet we are less secure than we were 30 years ago.”
They made a number of recommendations that remain relevant today. While they wouldn’t make ICSs bulletproof—nothing can—they would make them far more resilient:
But, of course, that will take money. Fabian said when there was money available from President Obama’s massive 2009 American Recovery and Restoration Act, there was considerable progress in improving infrastructure security.
“But when the money ran out, the smart grid pretty much died,” he said.
Get the latest AppSec news and trends sent directly to you.