Software Integrity

 

‘Cyber Pearl Harbor’ unlikely, but critical infrastructure needs a major upgrade | NCSAM at Synopsys

Officials have warned for decades of a “cyber Pearl Harbor” or “cyber 9/11” kind of attack on the nation’s critical infrastructure. Yet no attack has come. It’s either because our attackers can’t do it or haven’t really wanted to so far—and “can’t” seems less likely every day. Are we prepared for what’s next?

‘Cyber Pearl Harbor’ unlikely, but critical infrastructure security needs an upgrade

The original version of this article was published in Forbes.

Top U.S. officials have warned for decades of a “cyber Pearl Harbor” or “cyber 9/11” kind of attack on the nation’s critical infrastructure by a hostile nation-state or terrorist group.

One of the latest came just this past July from Director of National Intelligence Dan Coats, who said, “The warning lights are blinking red again,” in much the same way they were prior to the 9/11 attacks.

The warning lights are blinking red again.
Dan Coats, director of national intelligence

Yet, while there have been multiple cyber attacks on infrastructure in the U.S. and other parts of the world, especially during the past decade, none has taken down even major portions of the grid for weeks or months—a nightmare scenario envisioned in former Nightline anchor Ted Koppel’s 2015 book Lights Out: A Cyberattack, a Nation Unprepared, Surviving the Aftermath.

Why not? Is it that U.S. enemies, as much as they might want to, simply can’t do it because the nation’s infrastructure is really as diverse and resilient as many experts say it is? Or is it that they don’t really want to, given that if the U.S. goes dark, a lot of other nations’ economies will suffer greatly as well?

Not to mention that if they did it to us, we’d probably be able to do it to them, or unleash a conventional military attack.

“Can’t do” seems less and less likely. Given recent reports and headlines, it seems more likely than not that a major attack is possible for well-organized, well-funded attackers.

Change of heart among experts

Indeed, some expert minds have apparently changed during the past several years.

Bruce Schneier, author, blogger, encryption expert, and chief technology officer at IBM Resilient, has scoffed multiple times in the past at the “Pearl Harbor” or “9/11” imagery. “Throughout history, the definition of a ‘major war’ has involved casualties in the hundreds of thousands. That means dead people,” he said in 2013.

Interesting, then, that five years later he is talking about dead people in his new book, Click Here to Kill Everybody.

He acknowledges early on that the title is “hyperbole,” but one of his main themes is that since everything is becoming not just a computer but also a computer connected to the internet, attacks with physical consequences are increasingly likely—not enough to kill everybody, but potentially enough to kill lots of people.

Secure the cyber-physical systems that affect your business.

He noted that the 2016 remote cyber attack on a power plant in Ukraine, allegedly by Russia, using CrashOverride, a malware designed to attack industrial control systems (ICS), was foiled by technicians who detected the attack, shut the plant down, and manually restored power.

But the implications were clear—if a similar attack damaged the equipment and shut down power in the middle of winter, “this would be fatal for many people.”

Bottom line: “Now that everything is a computer, the threats are about life and property. Hackers can crash your car, your pacemaker or the city’s power grid. That’s catastrophic,” he wrote.

ICS-CERT warns of immediate dangers

Indeed, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), within the Department of Homeland Security, has warned that ICS operators many times don’t even know if their systems are infected, don’t have effective security barriers in place, and don’t have backups for critical systems.

Which falls right in line with the findings in a recent report from FireEye iSIGHT Intelligence that at least 33% of the security vulnerabilities in ICSs are rated high or critical risk.

And those vulnerabilities are of the most basic variety: failure to patch, weak passwords, and flaws in architecture and network segmentation—in other words, failure to practice fundamental “security hygiene.”

The reason? The same one that has been cited for more than a decade: ICSs were never intended to be connected to the internet, and now they are.

Still, a majority of experts say what they have said all along: ICS vulnerabilities are real and serious. They need to be fixed. And yes, there is technically a risk that major portions of the grid, or other critical infrastructure, could be taken down. But they say doomsday rhetoric is, to borrow from Schneier, “hyperbole.” That the chance of an attack that takes down the grid is beyond remote.

“We’re absolutely not close to a Pearl Harbor kind of attack,” said Michael Fabian, principal consultant at Synopsys.

“Yes, it’s possible. But doing something like that would unleash the conventional military might of the U.S. against them.”

Fabian added that, at least when it comes to nation-states, it would also be against their economic interests. “Business is doing really well all over the world right now,” he said.

But, like other experts, he agrees that ICS operators do need to improve their security—a lot. “Of course they do. They’re 10 years behind,” he said, noting that multiple reports have concluded that 90% or more of breaches could have been blocked with basic security measures.

All talk, no walk in critical infrastructure security

So, given that the theme for the final week of National Cybersecurity Awareness Month is “Safeguarding the Nation’s Critical Infrastructure,” why aren’t things improving?

Certainly not for a lack of rhetoric. For more than 20 years, presidents have been issuing executive orders on improving security in critical infrastructure: Bill Clinton in 1996, George W. Bush in 2001, Barack Obama in 2013, and Donald Trump in 2017.

But rhetoric hasn’t led to much action.

We are less secure than we were 30 years ago.
—Joel Brenner and David Clark, Keeping America Safe: Toward More Secure Networks for Critical Sectors

Joel Brenner, who has held senior posts at NSA and DNI, and David Clark, senior research scientist at the Internet Policy Research Initiative at MIT, issued a report in March 2017 on ICS vulnerabilities that they summarized in a post on the Lawfare blog: “Over a quarter-century this nation spent billions of dollars on cybersecurity for key infrastructure, yet we are less secure than we were 30 years ago.”

They made a number of recommendations that remain relevant today. While they wouldn’t make ICSs bulletproof—nothing can—they would make them far more resilient:

  • Isolate critical infrastructure networks from public networks.
  • Build simpler, and more secure, hardware and software. “We know how to make simpler stuff, but no one will do it unless assured of a market. If the departments of defense, homeland security, and energy would support a market for more secure versions of commercial products, the demand would be there,” they wrote.
  • Reduce the number of regulatory and compliance standards. As they put it, “A publicly traded electric utility, for example, must comply with differing and sometimes inconsistent cybersecurity standards issued by the National Institute for Science and Technology (NIST), by credit card issuers, by state and federal energy regulators, and by the SEC. This is overkill.”

But, of course, that will take money. Fabian said when there was money available from President Obama’s massive 2009 American Recovery and Restoration Act, there was considerable progress in improving infrastructure security.

“But when the money ran out, the smart grid pretty much died,” he said.

 

More by this author