Critical infrastructure: Off the web, out of danger?

The debate over the chances of a catastrophic cyber attack taking down a major part of the nation’s critical infrastructure (CI) has been ongoing for a generation.

But it hasn’t been settled – in some ways it is more intense now than ever.

On one side are those, including high government officials, who warn of a “cyber Pearl Harbor” that could leave swaths of the country in darkness and cold – without electric power – for months.

Retired Adm. James Stavridis, dean at Tufts Fletcher School and a former NATO supreme allied commander, used that term just three months ago, saying such an attack would be aimed either at the electrical grid or the financial sector.

"It is the greatest mismatch between the level of threat, very high, and the level of preparation, quite low," he told CNBC in December.

On the other side are experts who say such warnings are vast exaggerations peddling FUD (fear, uncertainty and doubt) – that natural disasters and rodents are more of a threat than cyber attacks to  industrial control systems (ICS) that power the grid, water distribution, transportation and other critical services.

The evidence – so far – seems to favor the latter view. No cyber attack in the US has crippled the grid, water, communication or other CI systems even for weeks. Indeed, major storms have left tens of thousands of people without power for longer than any cyber attack has.

But the growth of the Internet of Things (IoT) may be changing that calculus. The billions – and growing billions more – of connected devices are bringing both unimaginable benefits to society and unprecedented dangers.

As numerous experts have been pointing out, anything connected to the internet – home appliances, vehicles, public utilities, health care and financial institutions and more – are part of an “attack surface” for hostile actors ranging from so-called “script kiddies” to political activists, criminal gangs and nation states.

Last fall’s Distributed Denial of Service (DDoS) attack on internet backbone provider Dyn is one recent high-profile example. Attackers used a botnet of tens of thousands of insecure cameras and DVDs (all part of the IoT) to take down a number of popular websites, including Twitter, Netflix, Reddit and PayPal.

Incidents like that have intensified the debate over the risks to CI, which means an increasing focus on the debate is over whether ICSs are part of the IoT or not.

According to some experts, they aren’t. They say the North American power grid is much more resilient and almost invulnerable to IoT attacks for a simple reason: Its crucial generation and transmission components – the operational hardware – are not part of the IoT - not connected to the internet.

Marcus Sachs, CSO of the North American Electric Reliability Corporation (NERC), said many people believe that all three major components of the grid – generation, transmission and distribution – are internet facing.

But he said the generation and transmission components are not. He told an audience at the recent RSA conference in San Francisco that while the risk of a damaging cyberattack is “greater than zero … the real threat is Mother Nature and humans doing stupid stuff.”

Sachs agreed that cyber attacks have caused damage to energy infrastructure in other parts of the world – the 2015 hack of the energy grid in Ukraine took out power for several hours to 225,000 people. But he told the audience the North American grid is exponentially less vulnerable because of its, “diversity and separation of infrastructure.”

He told CSO it is also because, “the control systems don’t connect to the internet.” This, he said, is one of the mandatory Critical Infrastructure Protection (CIP) reliability standards.

“The threat is real and the risks are high, but our exposure is low,” he said, contending that it would take physical access to control systems to interfere with their operation. That, he said, is possible but highly unlikely.

Marcus Sachs, CSO of the North American Electric Reliability Corporation (NERC)

“We’ve bent over backwards to decrease our exposure – we’re anal about it,” he said.

This doesn’t mean there are no internet connections in the overall industry – there are many in the corporate networks and the distribution of power to customers. “But that’s at the edge, where you’re flipping the lights on or off,” he said. “We see power companies get spammed and phished all the time. We see ransomware. But even if the lights go out locally, the grid is still working.”

That was essentially the message from former Director of National Intelligence James Clapper, in a “statement for the record” about 18 months ago to the House Permanent Select Committee on Intelligence. Clapper said he believed the chances of a “Cyber Armageddon” are remote.

But that message clearly has not reached the mainstream media. The Wall Street Journal headlined a Dec. 30, 2016 story, “Cyberattacks Raise Alarm for U.S. Power Grid,” and NBC Nightly News just this past week reported that public utilities were essentially sitting ducks for cyberattacks.

Nor has it convinced every other expert in the ICS field either. Joe Weiss, managing partner at Applied Control Systems, vehemently disagreed, calling Sachs’s comments, “bizarre … beyond the realm of credibility.

“Cyber can bring down the grid for months,” he said, adding that the “diversity” of power companies is essentially a mirage, since there are only “eight to 10 vendors worldwide” that manufacture the kind of generators used in ICSs.

Weiss pointed to Project SHINE (SHodan INtelligence Extraction), an initiative that has scanned the internet looking for SCADA and ICS devices. “They found more than 2 million (control) system devices directly connected to the Internet,” he said, contending that the US government has been suppressing information on ICS attacks that have already occurred. “Our government won’t publicize and acknowledge them,” he said. “We have met the enemy and it is us.”

In a blog post this week, Weiss said targeted ICS attacks in the US have caused, “loss of electric and water SCADA, damage to manufacturing lines, shutdown of HVAC systems, and damage to facility equipment including critical motors.”

Other experts are much less vehement – they say the risks are likely greater than Sachs is saying, since even with an air gap a system can be compromised. But they agree that US ICSs are far from sitting ducks – that the chance of a catastrophic attack is, as Clapper said, “remote.”

Ben Miller, director of the Threat Operations Center at Dragos, said if a power company’s corporate network is connected to the internet, and the ICS is connected to that, then there is an online way to get to the ICS. There is also the risk of access to ICS that attackers might gain through compromised third-party vendors.

He also said he and Dragos CEO Robert M. Lee will be delivering a keynote at this week’s SANS ICS Summit in Orlando, Fla., on a project titled MIMICS (Malware in Modern ICS), that found, “thousands of cases of ICS software infected with viruses, just over the course of 90 days.”

Those, he said, were mainly non-targeted, “opportunistic viruses and removable media across many ICS vendor programs.”

Still, he said in the US, online access to ICS, “is extremely rare. Ultimately taking down the grid is a really complex subject. Having an industrial impact on any ICS is hard. Scaling an attack to a particular region is really really hard.”

Edgard Capdevielle, CEO of Nozomi Networks, also said connections to the corporate network are a risk. “While industrial traffic may not go through the internet to get from one site to another, all these networks often have a physical path to the outside and are therefore exposed,” he said. “Firewalls help provide segmentation in the network, but the exposure still exists.”

Eddie Habibi, CEO of PAS agreed with Sachs that a successful attack on ICSs is unlikely, “given the layers of cyber defense that most companies have in place.” 

But he said the risks are very real, even with air-gapped systems. He said they could include downloading an infected software upgrade from a third-party vendor’s website into a SCADA system.

Or, a disgruntled insider with network access credentials could remotely take control of systems.

“Are these cyberattacks? You bet they are,” he said. “And they actually happened to two companies in the US.”

And Michael Patterson, CEO of Plixer International, said while he agrees that ICSs should be disconnected from the internet, “that will never happen. Even if they are disconnected, technologies have come along that allow miscreants to bridge the air gaps thought to prevent systems from being attacked from the internet.”

James Scott, a senior fellow at the Institute for Critical Infrastructure Technology (ICIT), said he agreed with Sachs that taking down the grid, “would be extremely difficult.”

But he also agreed with Patterson that, “a cyber kinetic approach using social engineering methods to bridge the air gap and introduce self-replicating malware to a network is actually very possible and not too complicated to do.”

That, he said, could lead to a regional blackout on the scale of the August 2003 cascading power failure that left about 50 million people in southeastern Canada and eight northeastern US states without power for up to two days.

That event was attributed to equipment failure and human error.

Stewart Kantor, CEO of Full Spectrum, has the same concern. “The US population is already highly concentrated in a few geographic regions nationwide creating rich targets,” he said, “where a single focused attack could leave millions in danger, and one small action could result in billions of dollars in damage and recovery costs.”

Sachs insisted again that, while the risks are real, they are minimal with control systems. “I would never say that there are zero connections,” he said, “but they’re (control systems) not designed to be connected to the internet. If somebody wants to challenge that, show me the connection.”

While the debate will continue, there is a measure of agreement that there is good news – an increased focus on ICS security.

“Technological advances in cybersecurity, such as the application of machine learning and artificial intelligence is creating some optimism,” Capdevielle said. “These advances offer better visibility into the operational risks regardless of the cause.”

Kantor said there are various ongoing “best-practices” initiatives. The Electric Power Research Institute (EPRI), the Utilities Technology Council (UTC) and a group of major utilities, are supporting a new IEEE standard for secure field area networks,

“The standard, known as 802.16s, addresses reliability and security in a wide area wireless network,” he said, adding that it is helping utilities shift their operations to, “entirely private networks, separated digitally and physically from the public network.”

Still, the nation’s critical infrastructure remains a potentially dangerous soft spot.

“Many utilities claim to have key systems blocked from the internet,” Patterson said, “when in actuality, a few internal hops will get you onto the targeted system.”

And Scott said he thinks the greatest risks are not from the hostile nation states like Russia, China or even Iran, but from, “a Hail Mary state like North Korea or an ideological collective like the Cyber Caliphate who uses domestic self radicalized cyber lone wolves and independent mercenaries for hire who possess the technological sophistication to pull something like this off.”