A serious, potential malware threat has been detected on the systems that control many aspects of critical infrastructure in the United States. These industrial control systems (ICS) manage the operation of valves, turbines, and other physical devices that are essential to manufacturing, electricity generation, and water services.
ICS systems offer access to systems with the potential to cause substantial physical damage, as they form a bridge between the cyber domain and physical infrastructure. One example of this is Stuxnet, arguably one of the most well known cyber-weapons ever deployed. Stuxnet, believed by many to have been launched by the United States and Israel, targeted the systems that controlled the speed at which Iranian nuclear centrifuges spun, and caused them to spin too fast, which resulted in the destruction of the centrifuge. The precedent set by Stuxnet demonstrates that the potential for damage that could be caused through a cyber-attack on ICS is a very real threat – and one that remains largely under-addressed.
Even minor disruptions in ICS for critical industries can have huge repercussions for the people who depend upon them. For example, in December 2015 over 80,000 people in western Ukraine lost access to power after Russia-affiliated hackers used malware to attack ICS that were essential to the Ukrainian power grid. The hackers used a program called BlackEnergy to disrupt the functions of the Prykarpattyaoblenergo power plant in western Ukraine, which resulted in the blackout. The same malware is also present on critical ICS systems in the United States. The Department of Homeland Security reported in 2014 that U.S. critical infrastructure has been systematically infected with BlackEnergy malware since 2011. Security experts from DHS believe it may be attempt by Russia to deter the U.S. from acting against it militarily.
The true extent of the threat to ICS systems is difficult to gauge. According to Kurt Baumgartner, Principal Security Researcher at Kaspersky Lab, BlackEnergy is not a new threat. The issue, he says, is that BlackEnergy has become more effective as an attack tool because hackers are able to rapidly update it to meet their changing needs based on whatever system they are targeting. Security experts assess that state and non-state actors are increasingly viewing malware like BlackEnergy as an important part of contingency military and security planning. It forms the cyber equivalent of an intelligence or terrorist sleeper cell that can be activated to cause disorder if needed, but will lie dormant until that need arises.
So the question is, how much do we need to worry about our industrial control systems? These systems control the machines that run critical infrastructure, and many were not designed to interact with the Internet. As a result, they lack the protections that most computers use to defend against malware. In addition, it is difficult to update ICS systems, since updates usually require a system to go offline for a while and any disruptions in service from ICS tend to have severe economic consequences.
The issue is complicated by the fact that most critical infrastructure in the U.S. is privately owned. According to Rhea Siers, a scholar in residence at the Center for Cyber & Homeland Security at George Washington University, “Not all companies are equal in terms of their ICS and ability to afford and deploy cyber prevention and defense.” This means that, while progress is being made to address ICS vulnerabilities, it far from being universal or comprehensive.
The U.S. has not experienced a cyber attack on the scale of what happened to the power grid in Ukraine, but it could happen here. The cybersecurity community has been working to better secure ICS systems, but threat remains. The Obama administration requested $19 billion for cybersecurity in the 2017 budget, largely because the Intelligence Community has warned that cyber attacks are the most pressing threat to the United States. It remains to be seen what role protecting ICS will have in countering the cyber-threat, but hopefully it will not take a major attack to highlight their importance.
Luke Penn-Hall is the Cyber and Technology Producer at The Cipher Brief.