May 17, 2012
TSG IntelBrief: The Expanding Cyber Threat to Critical Infrastructure
As of mid-May 2012, the U.S. Department of Homeland Security (DHS) divulged details of an unidentified hacker group's coordinated cyber attacks on gas pipeline delivery systems in the United States. Employing a technique known as spear-phishing, the hackers sent targeted e-mail messages to gas company employees with the aim of illicitly gathering passwords and other personal information that would facilitate unauthorized — and unrestricted — access to the networks. Whether the hackers intended to degrade the pipeline's operations or merely map them in support of possible future attacks remains unknown.
Potential vulnerabilities in the computers that control many utilities and distribution systems were highlighted in 2000 in Australia when an insider tampered with the computers running a sewage plant, causing the spill of millions of gallons of sewage into nearby waterways and canals. In 2007, a U.S. Department of Energy test at Idaho Labs successfully demonstrated the ability of a cyber attack to shut down parts of the electrical grid. Known as the Aurora Experiment, the test unleashed a cyber attack on a replica of a power plant's generator that caused changes in its operating cycle, ultimately creating the circumstances that led it to self-destruct.
In 2011, reports surfaced of foreign hackers using a Russian IP address that leveraged network data pilfered from the vendor responsible for creating the Illinois water utility system to gain remote control over a water plant. Reportedly being in surreptitious control of the system for several months, the hackers finally caused a water pump — and subsequently the entire system — to fail, forcing a major shutdown. (Note: An Internet Protocol, or IP, address is a numerical tag applied to computer system devices that provides both identification and location information).
The Emergence of the Stuxnet Worm
The same year saw one of the first known instances of malicious software that appeared to be specifically designed to attack critical control systems: the Stuxnet worm was discovered to have caused malfunctions in the computer systems that controlled nuclear centrifuges in Iran. Unlike other types of cyber attacks, which often use phishing techniques to break into a network or implant a backdoor onto a computer, this malware was implanted on computers that were not connected to the Internet. Still, variants of the virus were discovered to have spread far beyond its intended target, to countries ranging from India to the United States. RSA, a security company that manufactures secure ID tokens and user authentication tools for the government and defense industrial base, allegedly suffered a state-sponsored attack that may have been linked to a data breach on the defense contractor Lockheed Martin.
U.S. Financial and Energy Systems at Risk
Attacks on the nation's financial infrastructure have been plaguing the U.S. for years. Internet-based commerce systems routinely fall victim to identity theft and exploitation, leading to fraudulent transactions that rob individuals and companies of millions of dollars. Credit card companies and banks, automated clearing houses, and market trading systems have all been listed by the Federal Bureau of Investigation as having been subject to dramatic increases in online attack.
Unconfirmed press reports allege that hackers outside the U.S. have been attempting to probe the networks that control energy and other critical infrastructure sectors. As infrastructure becomes increasingly reliant on information technology, such as with the mores efficient "Smart Grid," many worry that security concerns have been left by the wayside. Although the U.S. has not seen a cyber attack on critical infrastructure that has risen to a level of a national crisis, many security experts warn of such a possibility as nation-states and extraterritorial hacker networks appear to have an interest in developing a large-scale attack capability.
Recognizing these vulnerabilities, the U.S. Government is beginning to take steps to address the problem before a catastrophic event takes place. While most of the current cybersecurity legislation focuses on information sharing between the government and the private sector, the cybersecurity act proposed in the Senate and favored by the White House would allow DHS, in coordination with the National Institute for Standards and Technology, to develop cybersecurity regulations and standards for each of the 17 critical infrastructure sectors identified by Homeland Security Presidential Directive 7, a foundational document for critical infrastructure protection. The National Infrastructure Protection Plan, called for in HSPD-7, focuses on cooperative information sharing between government and the private sector, but does little in the way of prescriptive cybersecurity. The National Response Framework provides an outline for roles and responsibilities in responding to a major cyber attack, but this plan is still in development and critics argue that it amounts to crisis management or triage rather than a preventive framework.
Competing Interests and Confusing Authorities
An ongoing part of the debate is the proper role of the military in protecting critical infrastructure from cyber threats. As much of the nation's critical infrastructure is owned and operated by the private sector, some point to existing laws that prohibit the military from domestic policing and can only offer support to civil authorities in a time of crisis. Others maintain that DHS, the domestic agency tasked with working with the private sector in critical infrastructure protection, lacks the resources, authorities, and manpower to develop effective best practices, let alone compel industry to do anything. Other criticisms of the regulatory approach are that it could create undue burdens on industry, creating box-checking compliance regimes without added security gains, and may stifle innovation in the process. At the same time, Civil libertarians charge that information sharing between government and the private sector in the name of national security could lead to serious privacy violations for consumers.
What is certain is that the cyber threat is increasing exponentially, that the public and private sectors are being equally targeted, and that bureaucratic friction continues to hamper efforts to create definitive protection measures to shore up current infrastructure vulnerabilities.
Also available: TSG Specialized Reports: The Soufan Group's world-class network of intelligence analysts produces specialized geopolitical and risk assessment products tailored to the unique needs of our clients in the public and private sectors. We welcome the opportunity to discuss your requirements and explore how our intelligence services can assist you in achieving your strategic objectives. For more information, please contact us at: firstname.lastname@example.org