Several months after the WannaCry cyber-attack, much of the world still seems to be asleep to the potential catastrophic effects of cyber-attacks on critical infrastructure systems.
The first nation state-level cyber-attack on critical infrastructure, widely attributed to a joint collaboration between American and Israeli intelligence against Iran, was uncovered in 2010. Known as the Stuxnet virus, the attack aimed to take down Iran’s nuclear program.
The virus failed to achieve its mission. But by destroying nearly 1,000 uranium-enriching centrifuges, it was unprecedented for having caused physical damage by way of virtual attack. And it ushered in a new era of conflict: that of offensive cyber-warfare.
A brazen example of this new era occurred on 23 December 2015, when a stunned Ukrainian power plant worker watched the cursor on his computer screen come to life. As the cursor began to click through his system, he tried to regain control, but became locked out of his own computer. From far away, a sophisticated hacker was controlling his computer.
Jon Nichols, a former US military IT expert, and his colleague Beau Woods, a deputy director of the Cyber Statecraft Initiative at the Atlantic Council’s Brent Scowcroft Center on International Security, met with BBC Future in Washington DC. They both believe that the 2015 Ukraine attack was significant – but less damaging than what else might happen if the world doesn’t begin to take cyber-security more seriously.
“Those types of attacks are exceedingly rare and they are harder to pull off than most attacks,” says Woods, a long-time veteran of the information security world. The attack in Ukraine is believed to have affected more than 100,000 people for some six hours. “That type of an attack can only be carried out by a very determined and dedicated adversary. It doesn’t have to be a nation state, but before the group had that capability, we would be able to spot them and know more about them and they’d be more predictable. Once they become predictable, they become somewhat deterrable.”
The risk of attacks means enormous resources are being poured into simulations that could help companies withstands attacks in the future. Corporate giants like IBM are setting up enormous cyber-security test labs where multinationals can come in and experience what it’s like to go through a cyber-attack – without any risk.
One of America’s largest construction and civil engineering companies, Bechtel, invited BBC Future to visit its lab just outside Washington DC. For years, Bechtel has focused heavily on building critical infrastructure projects around the globe.
Hackers have been given exponentially more access points from which to cause damage
Situated in a nondescript strip mall in suburban Virginia, the recently-opened lab is being used to demonstrate attacks on industrial control systems (ICS). The lab is the cyber-security centre for industrial control systems across the company’s US government business.
Many of the ICS’s that run critical infrastructure around North America were designed 30 years ago, long before cyber-security was factored into design and decision making, says Jon Nichols. That makes them highly vulnerable to attacks.
“If you take the hypothetical example of a coal power plant in West Virginia, we could scan it down using off-the-shelf hacker tools that I could show you how to use in 15 minutes,” says Nichols. “We could find several different industrial control systems connected to the internet which have probably been online for 30+ years, and I bet I could find the documentation for them with a couple Google searches. We’d poke and prod at it until I get it to break. That’s without any advanced hacking. I haven’t even looked at any code yet.”
Woods and Nichols say that many of the ICS’s that power infrastructure are so old that the usernames and passwords for the ICS are located in the documentation itself – which can be found in a simple Google search.
That was part of the reason for setting up the project, says Chad Hartman, programme manager for Bechtel’s cyber-lab. “If you look at some of the plants that do work for the Department Of Defense and Department Of Energy,” says Hartman, “they are legacy systems that have been around for decades. Some are working on operating systems like Windows XP which is no longer patched or updated by Microsoft. There are costs to updating Windows XP to Windows 10,” he says, adding that everything associated with that obsolete software also had to be upgraded. “So basically the cost outweighs the cyber-security. That means companies are basically trying to put some controls in the middle to stop attacks from happening.”
Now, with connectivity to the internet encompassing everything from watches to toasters, hackers have been given exponentially more access points from which to cause damage. Although when it comes to deliberate attacks on critical infrastructure, one theoretical hurdle remains: that doing so is essentially an act of war.
Some culprits, like non-state actors, might take comfort in knowing that pinpointing the actual attackers is a difficult task. But for states indulging in cyber-attacks, there is the threat of mutually assured destruction – meaning that the same weapon can be used against them. “We saw that in the Iranian attacks against Saudi Aramco,” says Beau Woods. “They grabbed some of that original Stuxnet code, tweaked it to do something a bit different, and I believe it bricked 30,000 computers.”
Nichols and Woods are most concerned about the potential catastrophic effects that a cyber-attack can have on critical systems like healthcare. They are part of a collective known as “I Am The Cavalry”, a grassroots organisation focused on issues where computer security intersect public safety and human life.
They believe that the healthcare industry deserves special attention for several reasons. Many devices within hospitals are now online. There are very high consequences to failure: if hospital systems fail, then people die. Hospitals are vulnerable. And finally, they are very exposed.
All of this, of course, was borne out by the WannaCry attack, which spread across more than 150 countries worldwide. In the UK, it affected more than a third of NHS trusts and cancelled at least 6,900 NHS appointments. It was the largest cyber-attack on the NHS to date.
Just weeks earlier, Nichols told BBC Future that he had worked to fix the effects of earlier cyber-attacks on hospitals. (He could not discuss exact details because of a non-disclosure agreement.) One event he worked on was an attack that hit a regional healthcare network in early 2016.
No one wants to publicise the vulnerability of their systems
“I know these attacks are more frequent than anyone admits because I was in the basement of a hospital trying to fix one of these attacks when it broke in the mainstream media,” he says.
Nichols says that, in the case of the attack on the hospital, the perpetrators weren’t nation states but cyber-criminals. They weren’t actually trying to target hospitals. They were attempting to go after anything that was vulnerable, and using readily accessible tools to scan for devices connected to the internet. Once they found them, they began injecting their exploitive code and delivering the ransomware. Woods says those actors are extremely hard to deter because they are motivated solely by financial gain.
“One of the difficulties in the industry right now is actually getting organisations to admit or report they’ve been attacked,” says Woods. “A hospital goes down for a day, they may lose millions and millions of dollars, so sometimes it makes good business sense to pay a $100,000 ransom even if it raises difficult moral and ethical questions.”
No one wants to publicise the vulnerability of their systems. That doesn’t just hold true for hospitals, says Dr Stuart Madnick, the head of Massachusetts Institute of Technology's Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity (IC3).
Laws regarding the disclosure of cyber-attacks on critical infrastructure are less severe than those placed upon financial institutions, says Madnick. That’s because while hacking a bank might release credit card and personal information, therefore forcing the institution to notify the public of the breach, hacking critical infrastructure does not. “So if you have a German steel mill and you have a cyber-attack to cause it to melt down, in general there's no law that says you have to make that public,” says Madnick.
Madnick’s organisation is focused on trying to make companies and managers think differently about cyber-security. “We look at the strategic and managerial aspects of cyber-security, not just the actual hardware and software upgrades because 70-80% of cyber-attacks are aided or abetted by insiders, usually unintentionally,” he says.
His colleague and associate director at IC3, Dr Michael Siegel, says he has heard of a financial institution that did internal phishing attacks and sent an email to employees which said: "This is a phishing attack, if you click on this link, it will harm your computer". Despite the explicit warning, at least one person clicked. When they asked that employee why, he said he wanted to see what would happen.
“The problem is that we still don't have an underlying narrative that clicking the mouse could bring down a company or a power plant,” says Siegel. He believes there are two types of companies, those who know they've been attacked and those who just don't know it yet.
In certain sensitive rooms, it’s important to build in a cage that goes from floor to ceiling to make sure no-one can get through the ceiling tiles and cross into the sensitive areas – Chad Hartman, Bechtel cyber-lab
With the repercussions of phishing attacks becoming more publicised and ever more clear, the market for cyber-security firms like Bechtel is booming.
So what happens when a company enlists their help?
Hartman’s team engages their clients in blue team and red team assessments. Red team assessments are ones in which third-party hackers are hired to penetrate a system without specifying where, when and how. These are the closest simulations to real world attacks.
Blue team assessments are a sort of softer introduction into the menace of cyber-attacks. The experts at Bechtel sit alongside their clients and guide their clients through an attack, explaining each aspect so they can see the details play out in real time.
Some of their recommendations are for the real world, not just online.
“A lot of the stuff that red teams go over with clients is physical, like having the right types of locks to the cyber-labs, proper door knobs, cypher locks, badge access,” says Hartman. “In certain sensitive rooms, it’s important to build in a cage that goes from floor to ceiling to make sure no-one can get through the ceiling tiles and cross into the sensitive areas.”
Ironically, part of the reason the cyber-security problem will grow over the next few decades is not only because of the vulnerabilities of legacy systems and the enormous costs to upgrade them, but also because of innovation itself. For example, Hartman believes that remote accessibility is providing new avenues for attackers. As companies adopt remote access to cut costs, Hartman says all they are doing is giving attackers a much greater surface to attack and get into industrial control systems and plants.
It’s unlikely that jihadists are not exploring ways to hack critical infrastructure systems in order to either generate money or simply cause harm
These vulnerable systems will only grow with the next generation as the ‘Internet of Things’ gains popularity, says Tarek Saadawi, a professor and director of the Center for Information Networking and Telecommunications, at the City University of New York and author of Cyber Infrastructure Protection.
Saadawi says the next wave might be even more serious with billions and billions of devices connected, autonomous vehicles, autonomous robotics, smart cities. “All of that becomes vulnerable to attack.”
Of primary concern to security analysts around the world is the probability of terrorist attacks, For example, it’s unlikely that jihadists are not already exploring ways to hack critical infrastructure systems in order to either generate money or simply cause harm.
But sometimes, such attacks can simply be an angry lone wolf, as was the case in an attack on a water treatment plant in Australia 16 years ago. IC3’s Madnick points out that an attack like this is not only indicative of how widespread and unpredictable the threat is, but also how difficult it is tell when infrastructure actually is under attack.
“It took them two-and-a-half months to realise he was doing it,” says Madnick. “A lot of the time, it's hard to discern the difference between mechanical failure and a cyber-attack.”
WannaCry was just the latest in a line of highly publicised attacks on critical infrastructure. But it is highly unlikely to be the last.
Join 800,000+ Future fans by liking us on Facebook, or follow us on Twitter.