We know that cyber attacks can have physical consequences. How does U.S. critical infrastructure fare in terms of cyber security and resilience to attack?
Amid all the military action in the Middle East recently—drone and ballistic missile strikes—between the U.S. and Iran, the U.S. Department of Homeland Security (DHS) issued a warning about software.
Not that it was phrased exactly that way. The DHS advisory didn’t even use the word “software,” and it covered both physical and cyber risks that could be exploited by a nation-state attacker. But a number of its recommendations—risk analysis, cyber security best practices, vulnerability scanning and patching, and application whitelisting—all involve software.
For good reason.
Software, those endless millions of strings of code, is now very much capable of doing physical things. Some of them we love. They help us keep an eye on our kids, let us turn up the heat in the house from a hundred miles away, help to keep us from rear-ending the driver in front of us, and much more.
But some of them we fear and hate. When attackers exploit vulnerabilities in software, it can help them steal our identities, drain our bank accounts, spy on us and our kids, turn off the heat in our homes from 6,000 miles away, cause power plants to malfunction, create natural gas explosions, and much more.
And as both national security and cyber experts have noted for many years, software can level the “playing field” between nation-state adversaries. A country like Iran, which could never challenge the U.S. militarily, could wreak catastrophic damage with computer keystrokes from thousands of miles away. And that country has issued multiple threats to do so since the recent U.S. drone strike that killed two of its top military commanders.
Cyber attacks on infrastructure also tend to harm civilians more than a missile aimed at an airbase. They can turn out the lights, shut down utilities, and paralyze health care systems.
Ofer Maor, until recently a project management director at Synopsys, told The Independent in 2018, after the DHS acknowledged that hackers working for Russia had infiltrated the control rooms of U.S. utilities, that “it is hard to set a limit on the potential damage hacking industrial control systems can lead to.”
“Imagining an attack that causes a blackout is simple, but imagine a case where a vulnerability in a power plant’s control system can be used to bypass load limitations, driving the power plant to work overtime, leading to an explosion, or reversing a sewer pump to overflow sewers across an entire city,” he said.
Beyond all that, it can be difficult to establish “attribution,” as in “whodunit?” Skilled attackers, like China or Russia, could launch an infrastructure cyber attack and make it look like it came from Iran.
That is what the DHS advisory was about. Noting that “Iran and its proxies and sympathizers have a history of leveraging cyber and physical tactics to pursue national interests,” it said that nation is highly motivated to conduct “disruptive and destructive cyber operations against strategic targets, including finance, energy, and telecommunications organizations, and [increasingly] … industrial control systems and operational technology.”
The Finland-based cyber security company F-Secure agrees. In an article on cyberthreats, it said, “The Iranian regime has demonstrated greater appetite towards destructive or disruptive cyber-attacks in peacetime than any other nation.”
Which raises several obvious questions. Is U.S. infrastructure really vulnerable to that kind of disruptive destruction? Is a hostile nation-state like Iran capable of launching such attacks? How likely is it to do so?
The answers are anything but simple—most of them filled with nuance and caveats.
There is general agreement that the nation’s infrastructure is vulnerable. The Russia-based cyber security firm Kaspersky issued a report in 2018 that “identified 61 vulnerabilities in industrial and IIoT/IoT systems,” but said the owners of those systems fixed only 29 of them during the year. And 20% of vulnerable ICS (industrial control systems) devices had vulnerabilities ranked as “critical.”
We have also seen that cyber attacks can have physical consequences. Among the most famous is the 2010 Stuxnet attack—attributed to but never officially acknowledged by Israel and the U.S.—which destroyed an estimated 984 uranium enrichment centrifuges in the Iranian nuclear program. Another is the 2015 Russian attack on Ukraine that brought down a portion of that country’s energy grid in the cold of December.
Much less famous but still significant was an intrusion in 2015, for which the Iranians took credit, into the computer controls of the Bowman Avenue Dam in Rye Brook, New York. There was no manipulation of the 20-foot span, since it was under repair and offline, but the message was clear—hackers can get into vulnerable computer-operated infrastructure.
There is much less agreement among experts, however, both about the overall resilience of U.S. critical infrastructure and the likelihood of a catastrophic attack.
Many say “doomsday” scenarios are vastly overblown.
Jacquelyn Schneider, a fellow at the Hoover Institution at Stanford University, wrote recently that while Iran has attacked “American dams, financial systems and government networks, their impact has been short-term, reversible and relatively limited in scope.”
“Tehran is a capable and prolific actor in the realm of cyberwarfare, but it has no proven ability to create large-scale physical damage through cyberoperations,” she wrote.
Michael Fabian, principal consultant at Synopsys, has said that he doesn’t foresee an effort to take down a major part of U.S. infrastructure, because even hostile nation-states are wary of U.S. power. “We’re not going to just sit there and take it,” he said, “and I think our [cyber] capabilities are probably more significant than those of others.”
But Joe Weiss, managing partner at Applied Control Solutions and an expert in ICS, is less optimistic, although he said the current flurry of warnings about Iran misses the main point. “The threat from Iran is real but it’s a red herring,” he said, noting that both Russia and China are greater threats than Iran. But he said the overall security of the control systems running U.S. infrastructure is “worse than it was 20 years ago.”
Weiss, in a recent blog post, said too much of the focus is on protecting the network—which he acknowledges is “indispensable”—and not enough on process control systems.
“We have no way to secure the grid,” he said, “so anybody is a threat.”
Whatever the immediate threat level, however, it is clear that U.S. infrastructure, which has become increasingly “connected” over the past two decades, would benefit from much better security.
Why isn’t that happening? Partially because it is complicated—much more so than downloading a free patch for an app on your phone or laptop.
“Getting updates to ICS systems means getting the vendor to install and retest the system to make sure it works OK,” Fabian has said. “Some vendors are better at this than others and will typically charge for it.”
Beyond that, experts note that fixing vulnerabilities takes significant coordination. ICS software is designed to work in a specific environment that includes a specific OS. And if “approved” patches do become available, it takes planning—sometimes months of planning—to take a system down long enough to install the patch.
Still, as the latest international tension demonstrates, it is long past time to get started on better ICS security, especially because it is such a long, complicated process.
Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Center, said ICS and IIoT operators should “perform a risk assessment of their deployed software assets,” to include “the current state of software development for the asset, whether it contains any latent software vulnerabilities, and how it is configured.”
As has been demonstrated multiple times, “latent risks like vulnerabilities can provide opportunities for attack should the software asset be deployed in an insecure manner—including one allowing for unaudited remote access,” he said.
In short, while software can help you, insecure software can hurt you—badly. And addressing that risk ought to be a priority, no matter the geopolitical situation.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.