Eyes wide shut: The growing threat of cyber attacks on industrial control systems

Eyes wide shut: The growing threat of cyber attacks on industrial control systems

Eyes wide shut: The growing threat of cyber attacks on industrial control systems

Permalink:

When industrial control systems are connected to the Internet, they can be vulnerable to cyber attacks. At risk are energy sources and electric grids, water and sewer systems, manufacturing, banks, transportation and communication networks, and other systems that may be targeted by hackers, terrorists, or enemy states seeking to wreak economic havoc. Despite a series of well-publicized cyber attacks in recent years, few companies have taken the steps necessary to isolate industrial control systems and sensitive information, and to limit the damage an attack can inflict. Security is not just a matter of dealing with technical issues, which are fairly straightforward and tactical. The strategic issue is governance: coordinating the efforts of various departments to ensure that information technology works together with physical security, legal counsel, human resources, and operations management.

Keywords cyber attack, cyber security, denial of service, industrial control systems, Maroochy Shire, RasGas, Saudi Aramco, Stuxnet

T hirteen years ago, a disgruntled sewer system operator in Maroochy Shire, Australia, filled his car with a

laptop and radio equipment apparently stolen from his employer and drove around giving radio commands to the pumps and valves that controlled the local sewers. Pumping stations went hay- wire. Raw sewage poured into local waterways. Creek water turned black, fish died, and the stench was appalling (Brenner, 2011). This was an early warning of the danger inherent in connecting industrial control systems to the Internet,

but Maroochy Shire was far away, and very few people were paying attention.

Nasty things that start on the other side of the world have a way of ending up on oneÕs own doorstep, however, and the vulnerability to electronic mayhem of control systems that run railway switches, air traffic control systems, manufacturing, financial systems, and electric grids is now an endemic condition. In Brazil, a cyber attack in 2007 plunged more than three million people into total darkness and knocked the worldÕs largest iron ore producer offline, costing that one

Bulletin of the Atomic Scientists 69(5) 15–20

! The Author(s) 2013 Reprints and permissions:

sagepub.co.uk/journalsPermissions.nav DOI: 10.1177/0096340213501372

http://thebulletin.sagepub.com

company alone about $7 million (CBS News, 2009).1

The worldÕs superpower is not invin- cible either. Today the North American electric grid is being attacked fer- ociously and oftenÑsometimes by intru- ders so skillful that government help is needed to fend them off. Municipal water and sewer systems are also vulnerable. Even the US military recently warned that it canÕt guarantee its own operations under a sophisticated cyber attack, and that US allies are in the same position.2

And as Edward Snowden has demon- strated, a lone subcontractor can gain access to highly classified intelligence, which in turn could confirm that the United States has penetrated networks in other countries.

Although military and intelligence vulnerabilities are of obvious concern, frequent and intense cyber attacks are aimed at businesses. Attacks can origin- ate with foreign rivals seeking propri- etary information, hackers exacting revenge or looking for lucrative loop- holes, or even terrorists hoping to wreak economic havoc. Few companies are will- ing to isolate industrial control systems from the Internet. Securing information is not just a matter of technical knowhow, but also of coordinating the efforts of various departments to ensure that infor- mation technology works hand in hand with physical security, legal counsel, and human resources.

Connecting everything

The roots of the Internet go back to the 1960s. It was created to enable collabor- ation among a small, trusted group of scientists in government and at a few geographically dispersed universities. But as its inventors ruefully admit, they

built it with no security layer. They saw no need for it. In fact, until 1992, it was against the law in the United States to use the Internet for commercial pur- poses, and almost no one outside the United States was using it at all. When the US Congress removed that prohib- ition, it unleashed a productivity surge and a behavioral revolution that brought wealth and pleasure to hundreds of mil- lions of people. Unnoticed by almost everyone, however, it also created extra- ordinary vulnerabilities.

The United States, and the rest of the world after it, took this porous commu- nications network and turned it into the backbone of national and international financial institutions, personal finance, controls on critical infrastructure, virtu- ally all communications including mili- tary command and control, and much else besides. Everything companies do runs on the Internet or is exposed to it. Governments run on it. Air traffic control and rail switches run on it. The heating and ventilation in workplaces run on it. Yet because the Internet was engineered with no security layer, itÕs basically a mas- querade ball. It is impossible to be certain of the identity of individuals communicat- ing via the Internet, and it is beyond the capability of most people to discern whether a message that looks like mere content is in fact an executable instruc- tion to perform malicious operations. The distinction between content and action has dissolved: Electrons do things, they donÕt merely represent information.

Most industrial control systems still in use today have a life span of 10 to 20 years, sometimes longer, and were designed at least a generation ago, before ubiquitous connectivity became a fact of life. They were not networked and they were meant to be physically isolated, so these

16 Bulletin of the Atomic Scientists 69(5)

systems had no built-in electronic security features. The efficiencies gained by con- necting devices to the Internet became quickly apparent, however. Once net- worked, they could be managed from afar, and dispersed systems could be managed together. They could also be penetrated.

Since about the year 2000, the public has become painfully aware that per- sonal information, company secrets, and even government secrets can be stolen electronically with ease. An intru- der who can penetrate an electronic system to steal information from it can also corrupt the information on that system, make it go haywire, or shut it down entirely. ThatÕs what happened in Maroochy Shire. It also happened in Venezuela during the winter of 2002 to 2003, when strikers targeted systems that controlled the loading of tankers, dis- rupting harbor operations (Siemens Totally Integrated Automation, 2010). As this attack demonstrated, information security and operational security have converged, and both have become radic- ally more fragile as a result.

Wake-up calls

Cyber network attackers know how to physically destroy equipment with noth- ing more than a keyboard and mouse. In 2007, in an experiment run by the Idaho National Laboratory, researchers blew up a diesel-electric generator by taking over its controls remotely, opening and closing breakers, and inducing rapid changes in the electricity cycles that powered the machine. Such attacks would be difficult to carry out, but they can be done. With an insiderÕs help, they may not be difficult at all.

The Idaho experiment was a wake-up call for owners and operators on the

electric grid, but many of them hit the snooze button and went back to sleep. Large parts of the grid remain vulnerable to this kind of attack today because some managers just donÕt want to hear the message (Brenner, 2011).

The alarms bells got much louder in 2010 in an operation known as Stuxnet, named after malware that was surrepti- tiously inserted into the Siemens control systems running the centrifuges in IranÕs uranium enrichment program. About 1,000 centrifuges spun out of control and were physically destroyed. Stuxnet was an extraordinarily sophisticated, multi-step attack that employed at least four separate, previously unknown vul- nerabilities in Microsoft operating sys- tems. It is widely believed to be the work of the US and Israeli intelligence services. But while inventing Stuxnet required exceptional skill and resources, copying it does not. Its methods have now been laid out cookbook-style for the edification of aspiring but less gifted operators the world over.

Another alarm bell rang in August 2012, when attackers invaded 30,000 computers at the Saudi Arabian oil com- pany Saudi Aramco. Most US officials and well-placed but anonymous private sources in the Middle East attribute these attacks to front organizations oper- ating under the control or direction of the Iranian government. The informa- tion on the computers was wiped clean, and the machines themselves turned into junk. The attack failed to disrupt oil pro- duction but was highly destructive.

Attackers launched a similar but less well publicized attack against RasGas, a company in Qatar that produces liquefied natural gas, during the same month (Reed, 2013; Reuters, 2012; Walker, 2012). The message is no longer deniable: Owners

Brenner 17

and operators of industrial control sys- tems anywhere in the world must now realize they are vulnerable and face real threats. Attacks against such systems are not science fiction. They will continue to occur, probably with increasing fre- quency, and they can be undertaken by politically motivated vandals as well as terrorist groups and national states.

Since September 2012, US banks have been under intense distributed denial- of-service attacks that have disrupted services and have cost tens of millions of dollars to fend off. Anonymous foren- sic experts in the US government and private sector attribute these attacks to Iran. Denial-of-service attacks are noth- ing new, but they are now occurring with ferocious intensity, and the banks have not been oblivious to the destruc- tion wreaked on Saudi Aramco and RasGas. If one or more major banks could be taken down, the consequences for the world financial system could be disastrous. Bank security officers have so far stayed ahead of the game, but they are nervous. So are the smarter security officers at major electricity- generating operations, who realize they are no match for attackers sponsored by a nation-state with first-rate capabilities.

Fortunately neither Russia nor China has any interest in launching such an attack, because the aftershocks from eco- nomic disaster in the United States could bring them to their knees. Nor do sophis- ticated state-sponsored criminals want to destroy an economic system they exploit. It is cold comfort, however, when a nation abandons its defense to the good- will of adversary states and international criminals. And as the attacks on Saudi Aramco, RasGas, and US banks have shownÑnot to mention Al QaedaÕs attacks on New York and LondonÑsome

of AmericaÕs adversaries would be happy to see its economy in a shambles. Iran, with its economy crippled by United Nations and Western sanctions, would probably return the favor if it could. Cyber attack capabilities are a matter of expertise rather than capitalÑand expert- ise, like water, finds its own level over time. When an attacker gets help from an insider, the time can be quite short.

Getting it right

The goals for any business today are to make itself harder to attack and to limit the damage an attack can inflict. Wher- ever possible, control systems should be isolated from the Internet. That accom- plishes both goals at one stroke. If busi- ness executives canÕt or wonÕt isolate control systems, they must think deeply about strategic defense and resilience. Undoubtedly, some of the challenges involve money and technology. To con- trol risk, managers must know who is on their system, what hardware and soft- ware are running on the system, and what traffic is going through the system. ItÕs startling to see how many companies canÕt do any of these things, and how few can do them all.

The prevailing view is that information security is a purely technical problem that the business people should not have to think about. This is a profound errorÑas if systems can operate securely without reference to how, when, and where they will be used, and by whom; as if informa- tion can be secure without regard to rules of access or operations. Breaches are nearly always enabled by multiple factors, and organizational failure and human carelessness are two of the most common.

With many companies, the technical issues are fairly straightforward, and

18 Bulletin of the Atomic Scientists 69(5)

they are utterly tactical.3 The strategic issue is almost invariably governance. Cyber security involves legal issues, human resources practices and policies, operational configurations, and tech- nical expertise. But none of the people overseeing these areasÑthe general counsel, the human resources director, the chief operating officer, or the infor- mation technology directorÑowns the problem. This makes cyber security a risk management and governance chal- lenge that must be dealt with at the c- suite level, because unless these people attack the problem together, it cannot be managed effectively. Unfortunately, this rarely happens. Network governance is especially difficult for multinational cor- porations, which must operate under different legal regimes and must often cope with serious intramural rivalries.

In many cases, integration is a chal- lenge even within the corporate security apparatus. Operational and physical securityÑguns, gates, and guardsÑare traditionally run by the corporate cops. Information security is traditionally run by the geeks in the wire closet. These two groups do not speak the same language, have different social and educational backgrounds, and do not usually get along. But bifurcating security is no longer intelligent. Doors, alarms, and other physical security measures are lar- gely run out of that wire closet now. And when the CEO visits a dangerous place, his or her calendar is probably on Outlook, where it is exposed to potential kidnappers. Unless security is integrated throughout an organization, itÕs hard to get it right.

In 99 cases out of 100, when the CEO reads an article like this and asks his chief information officer about it, the CIO says, ÒDonÕt worry, boss. WeÕve got this

covered.Ó VerizonÕs most recent annual data breach investigations report, how- ever, says that 69 percent of breaches in 2012 were discovered by third parties (Verizon, 2013). My advice to the boss: You may want to figure this out yourself.

Funding

This research received no specific grant from any funding agency in the public, commercial, or not- for-profit sectors.

Notes

1. The Brazilian government and the utility blamed the blackout on maintenance that failed to remove sooty deposits from insula- tors. In May 2009, however, President Barack Obama said in a speech: ÒIn other countries cyberattacks have plunged entire cities into darknessÓ (White House, 2009). Presidents donÕt make that kind of statement without validated intelligence. Richard Clarke, former special adviser to President George W. Bush on cybersecurity, referred to Brazil by name in an interview with Wired magazine later that year.

2. ÒThe United States cannot be confident that our critical Information Technology (IT) systems will work under attack from a sophisticated and well-resourced opponent utilizing cyber capabilities in combination with all of their military and intelligence cap- abilities . . . [T]his is also true for others (e.g. Allies, rivals, and public/private networks)Ó (US Department of Defense, 2013: 9).

3. This is based on the authorÕs experience and the companies that he works with directly.

References

Brenner J (2011) America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare. New York: Penguin.

CBS News (2009) Cyber war: Sabotaging the system. 60 Minutes, November 8. Available at: www. cbsnews.com/stories/2009/11/06/60minutes/ main5555565.shtml.

Reed J (2013) Were last yearÕs cyberattacks on Saudi Aramco worse than reported? January 16. Avail- able at: http://killerapps.foreignpolicy.com/

Brenner 19

posts/2013/01/16/were_last_years_cyber_attacks_ on_saudi_aramco_worse_than_reported.

Reuters (2012) Aramco says cyberattack was aimed at production. December 9. Available at: www. nytimes.com/2012/12/10/business/global/saudi- aramco-says-hackers-took-aim-at-its- production.html.

Siemens Totally Integrated Automation (2010) Build- ing a cyber secure plant. September 30. Available at: www.totallyintegratedautomation.com/build- ing-a-cyber-secure-plant/.

US Department of Defense (2013) Resilient Military Systems and the Advanced Cyber Threat. Task Force Report for the Defense Science Board, Janu- ary. Available at: www.acq.osd.mil/dsb/reports/ ResilientMilitarySystems.CyberThreat.pdf.

Verizon (2013) 2013 Data Breach Investigations Report. Study conducted by the Verizon RISK Team. Available at: www.verizonenterprise. com/DBIR/2013/.

Walker D (2012) Natural gas giant RasGas targeted in cyber attack. SC Magazine, August 31. Available at: www.scmagazine.com/natural-gas- giant-rasgas-targeted-in-cyber-attack/article/ 257050/.

White House (2009) Remarks by the President on securing our nationÕs cyber infrastructure. May 29. Available at: www.whitehouse.gov/the_press_ office/Remarks-by-the-President-on-Securing- Our-Nations-Cyber-Infrastructure.

Author biography

Joel F. Brenner was the inspector general and senior counsel of the National Security Agency from 2002 to 2006 and 2009 to 2010, respect- ively, and the head of US counterintelligence strategy and policy from 2006 to 2009. He is the author of America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare (Penguin, 2011). He prac- tices law and consults on security issues through Joel Brenner LLC.

20 Bulletin of the Atomic Scientists 69(5)

Copyright of Bulletin of the Atomic Scientists is the property of Bulletin of the Atomic Scientists and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder’s express written permission. However, users may print, download, or email articles for individual use.