From a cyber attack perspective, 2014 has been a watershed year for the critical infrastructure industry. After generally resisting the notion of vulnerabilities because of the stated traditional controls of "air gaps" between the Internet and power generation equipment and heavy use of "proprietary SCADA IP protocols," the industry has finally had to acknowledge the increased threats and risks to normal service delivery.
Successful attacks and new attack methods – known as vectors – have forced many industries to acknowledge the problem. For example, the prolific cyber-spying campaign known as 'Energetic Bear' reportedly infected more than 2,800 victims around the globe. The attacks targeted a number of critical infrastructure industries including industrial, machinery, manufacturing, pharmaceutical and construction.
Over in the US back in August 2013, Former Assistant Defense Secretary for Homeland Defense & Americas' Security Affairs, Dr Paul Stockton appeared on a panel that specifically discussed cyber security challenges facing the electric sector.
Dr Stockton stated that if there was a successful computer network hack that brings down the grid for a significant period of time, critical lifeline infrastructure is going to fail. Failure of infrastructure such as hospital, transportation, food and pharmaceutical distribution could threaten public health and safety.
With cyber attacks rising across the board, we now know more than ever that this issue is a global one, and critical infrastructure companies will face some tough questions to understand how prepared they are for such attacks. For example, how prepared is our power generating industry in order to protect the populace from such a catastrophic failure? How real is this scenario and what is the trend? If real, what are the mitigation steps and sense of urgency?
So, what is going on? Is this something of a real concern and if so, or not, what are the takeaways?
To leverage an acronym developed from Richard Clarke, a former Special Advisor of cyber security during the Bush administration, the origin of the cyber attack risks fall into four major categories as follows:
- Cybercrime: The notion that someone is going to attack you with the primary motive being financial gain from the endeavour.
- Hacktivism: The motive of attacking someone based upon a difference in ideologies. The primary focus of these attacks is not financial but rather to persuade or dissuade certain actions or "voices."
- Espionage: Straight forward motive to gain information on another organisation in pursuit of leverage (political, financial, capitalistic, market share, etc.).
- War (Cyber): This is the notion of a nation-state or transnational threat trying to tear down the centres-of-power of an adversary via a cyber-attack. This could be to target non-military targets like critical infrastructure or financial service, or more traditional targets such as the military industrial complex.
Given these motives one can clearly see how an average small rural electric utility may find itself inundated with attacks from a range of customers who are not lock-step with service fee increases, to hacktivists who don't condone the methods of power generation, or to foreign intelligence operatives who are attempting to find a weak link in our power grid infrastructure.
The task is daunting but is very real. As well as Energetic Bear, attacks such as Stuxnet, Night Dragon, Shamoon and Dragonfly have targeted critical infrastructures around the globe over the past few years and represent harbingers for increased concerns.
Although you can assemble a list of threats for nearly any industry today, it may be unbalanced to call out the power generation industry. However, I believe that the power generation industry in particular needs to rise above the normal corporate culture of security controls and become obsessive about removing risks and compulsive about action.
After all, these organisations may literally be holding life and death decisions in their hands – and this makes their actions rather profound and very unique.
In the end, I hope we can agree that the klaxon is sounding and actions need to be impactful to avoid catastrophes.
At IP EXPO Europe, Radware will be demonstrating its award-winning solutions portfolio, which delivers full resilience for business-critical applications, maximum IT efficiency and complete business agility. For further information, visit Radware at stand G40. Register for IP EXPO now!
Adrian Crawley is UK regional director at Radware