It’s likely only a matter of time before a major cyber attack hits U.S. civilian infrastructure, but the nature of that digital violation and the means to respond remain uncertain, as many of the most sensitive systems operate under private sector control.
There is a “narrow and fleeting window of opportunity before a watershed, 9/11-level cyber attack” against U.S. critical infrastructure, warned a new report issued last week by the Department of Homeland Security’s National Infrastructure Advisory Council (NIAC).
“We call on the Administration to use this moment of foresight to take bold, decisive actions,” wrote the report’s authors.
The council released the report just before a number of members resigned, citing concerns that President Donald Trump was not taking cybersecurity risks seriously, despite his May executive order emphasizing the threat.
But while such an attack might significantly disrupt daily life and the economy, the actual tangible effects would be far less than a physical attack such as Pearl Harbor or 9/11; thousands of deaths are unlikely. And the true cyber threat to critical infrastructure would likely come from multiple campaigns – “death by a thousand cuts” – not just one singular event.
As James Clapper, the former Director of National Intelligence and Cipher Brief expert, noted in the U.S. Intelligence Community’s 2015 Worldwide Threat Assessment, the “likelihood of a catastrophic attack from any particular actor is remote at this time.” Instead, according to Clapper, a greater threat flows from “an ongoing series of low-to-moderate level cyber attacks from a variety of sources over time, which will impose cumulative costs on U.S. economic competitiveness and national security.”
At the same time, nations continue to incorporate cyber capabilities as a component of conflict. This includes the targeting of U.S. critical infrastructure, which involves a broad range – perhaps too broad – of some 17 sectors crucial to the functions of the American economy and society. These include energy production, transportation centers, financial institutions, critical manufacturing, health systems, the defense industrial base, water and waste management, food and agriculture, and – added in December after Russian probing of voter systems – the nation’s election infrastructure.
What many of these sectors have in common is the intersection of digital and analog systems – the bridge between the virtual and physical realms. If coupled with the correct understanding of the engineering process involved in, for example, the movement of oil through the 2.6 million miles of U.S. pipeline, hackers could tell an industrial control system (ICS) that the flow of oil has halted, causing automated operational systems to begin pumping until there is a pressure blast.
The threat goes beyond the hypothetical. The Stuxnet attack, a reportedly U.S.-Israeli joint operation discovered in 2010, targeted the Iranian nuclear facility of Natanz. That operation destroyed some 1,000 uranium enrichment centrifuges by drastically alternating the speed at which they were rotating.
The physical effects of the Stuxnet worm likely set back Iran’s nuclear ambitions significantly and may have contributed to Tehran’s willingness to engage in negotiations. More than that, the psychological impact must have been considerable given that throughout the campaign, Iranian screens continued to show normal readings, undermining the confidence of operators monitoring their systems.
“Manipulating data, also known as spoofing, is a major threat to confidence in what we see on our screens,” said Todd Rosenblum, the former Acting Assistant Secretary of Defense for Homeland Defense and Americas’ Security Affairs at the Pentagon and current Senior Executive for National Security Programs and Strategy at IBM.
“Losing confidence in what our screens tell us can be crippling to our psychological and actual dependency on digital information. It is, in many ways, more significant than the impact of one off physical events triggered by digital means,” he said.
A more likely vision of the future of cyber attacks came in 2015 and 2016, with the disruption of the Ukrainian power grid. The 2015 campaign was attributed to the Sandworm team, which leveraged a variant of the BlackEnergy malware – both linked to Russian intelligence – that left over 200,000 without power for some six hours by entering a network and hijacking legitimate commands to disconnect power distribution at substations.
The operation required a detailed understanding of how the Ukrainian power grid was assembled and the engineering processes involved. Those details were then codified and automated into a malware dubbed CrashOverride in a follow on attack that took place in December 2016.
Given the escalatory nature such an attack on critical infrastructure would have, it is probable that it will only be a feature of ongoing conflict – such as the one between Russia and Ukraine, or should open warfare break out between North and South Korea; or China and Taiwan.
Robert M. Lee, a former Cyber Warfare Operations Officer in the U.S. Air Force who founded Dragos, an industrial cybersecurity company that investigated the cyber attacks on the Ukrainian power grid, said that the new CrashOverride malware is “basically a framework to be able to scale what was done [in Ukraine] and it is immediately usable all throughout Europe,” and with a little tailoring, within the U.S. power grid.
“We see a capability that is not designed just for the localized conflict in Ukraine, but something that can impact others around the world,” Lee told The Cipher Brief. “And whether or not adversaries ever use it, that tradecraft is now public for anybody to adopt.”
While the vast majority of cyber campaigns against U.S. industrial systems are a mix of cybercrime and espionage – with Homeland Security responding to some 1,200 instances involving industrial control systems between 2009 and 2015 – the mapping of industrial computer networks and theft of engineering blueprints could signal a move by adversaries to more destructive cyber attacks.
“Some of this probing is for industrial espionage and traditional intelligence gathering,” said Rosenblum. “Some of it is for what the U.S. military calls operational preparation of the battlefield environment. Regardless of the intent, the reconnaissance is robust and making national critical infrastructure more vulnerable to digital and insider threat vectors”
The reconnaissance process, however, is labor intensive, and the pivot to attack requires a keen understanding of how each industrial system is assembled. No industrial infrastructure is the same as others, even if they rely on the same vendors or equipment. This means that even a cyber savvy foreign power, such as Russia or China, must focus its efforts on specific targets if they wish to create substantial physical effects.
“When I see 14 plus sites in the U.S. getting targeted, maybe it’s just a new operations team that got activated in some foreign country and are trying to build their target portfolios. Maybe there is also an agenda as well around scaring politicians,” Lee said.
“But if I see only one breach of infrastructure, or just a handful coming from a foreign power, and they start stealing things like engineering documents, that’s when I get concerned because now they have an actual ability to attack,” he added.
The frontline of defense for many of these systems is what is known as an air-gap, where the industrial control systems operate in isolation from broader networks such as the public internet. But air-gaps are not infallible, and persistence and well resourced hackers can and will gain entry into critical networks.
Complicating the matter further, the vast majority of U.S. critical infrastructure is owned and operated by the private sector, inhibiting the flow of sensitive intelligence from government to companies on threats to critical infrastructure.
The NIAC report urges industry to set up an automated machine-to-machine cyber threat information sharing mechanism, while calling on government to expedite the process of granting security clearance to executives and further declassify cyber threat information.
Given that critical industries – for instance, energy production and the power grid – often depend on one another, there is also a need to prioritize certain sectors and create analog disconnects that enable resilience against cascade failure.
While national critical infrastructure is of course the priority, policymakers now must also consider how to approach industrial infrastructure in allied countries that could have ripple effects against the United States. The 2012 Shamoon attack against Saudi oil giant Aramco demonstrated the vulnerability created by the U.S.’ interdependence with other nations – such as those that provide large quantities of the West’s petroleum.
“This is an important gap,” Rosenblum said. “We have, for example, co-dependencies with Mexico and Canada for energy, transportation, emergency response, and communications.”
While the threat of catastrophic cyber attack against U.S. infrastructure remains plausible, such attacks are still reserved for those that not only have the skills and resources to do so, but also the intent. Even then, deterrence through threat of kinetic retaliation or even mutual cyber vulnerability could sway adversaries from choosing to cross the line from digital espionage to cyber-enabled physical disruption.
Levi Maxey is a cyber and technology analyst at The Cipher Brief. Follow him on Twitter @lemax13.