Major attack on city infrastructure ‘a matter of when, not if’

15 Jun 2017

Shanghai city. Image: ssguy/Shutterstock

The emergence of a damaging cyberattack on Kiev’s energy network was inevitable, according to some cybersecurity experts.

Last December, a piece of worryingly effective malware known as both Industroyer and Crash Override was credited with bringing down Ukrenergo, an energy provider in Ukraine.

Given each name by the cybersecurity companies that investigated the issue (ESET and Dragos), the malware enabled hackers to shut down industrial computers.

Stuxnet 2.0

This, essentially, allowed for remote disabling of parts of Kiev’s energy grid, whereby large parts of the Ukraine capital city went black. If Iran’s attempts at building a nuclear programme, US counterintelligence and Stuxnet all ring a bell, they should.

Industroyer, or Crash Override, was the first example of a similar industry-targeting malware to succeed to such a degree in the wild ever since the 2009 Stuxnet ‘success’.

And it was an inevitability, according to some experts.

“It would be naïve to believe that industrial control systems – whether in electric utilities or petroleum or water systems or even traffic control systems –  didn’t have vulnerabilities,” said Alan Brill, senior MD with cybersecurity company Kroll.

“It has always been a matter of when it would happen, not if it would happen.”

For any state-sponsored hacking, utilities such as energy or water are obvious targets. Terrorists could focus on this, too.

Hot dam

For example, last year US authorities alleged that several computer specialists working for Iranian forces carried out cyberattacks on dozens of American banks and tried to take over the controls of a small dam in a suburb of New York.

Much like Kiev’s energy grid going down for a few hours, this is a fairly obvious area to focus on.

This means that states need effective incident response plans, says Brill, something many already have in place in case of natural disasters hitting crucial utility networks.

“For example, if elements of a distribution infrastructure were damaged by a lightning strike, an incident response would be needed. This all requires top-level commitment to do these things and to make reasonable resources available to do so,” he said.

According to Brill, businesses need to recognise the very real threat that attacks such as this pose. If they operate in an industrial control area of any form, they are a potential target. It’s then up to decision-makers to ensure suitable resources are available in times of trouble.

Trouble should be expected as, even with the tightest of firewalls and digital prevention tools, hackers are going to hack.

Help is out there

Companies such as Kroll, so, or ESET or Dragos in this case, play a key role in how companies and states can mitigate against these threats.

“Make no mistake, attacks on the digital systems that control physical critical infrastructure systems are dangerous,” agrees Michael Shalyt, CEO of industrial cybersecurity start-up Aperio Systems.

“But existing fail-safe mechanisms can mitigate damage from these hacks. What worries me is, what happens when hackers directly attack physical systems themselves?

“What happens when attackers figure out that manipulating data crucial to decision-making can result in catastrophic damage – not just turning off the lights for a few hours?”

Around three decades of malware attacks have led to this point, with a certain inevitability in how technology would one day make it relatively straightforward to bring a working city “grinding to a halt”, noted Shalyt.

“This is where we are today with malware that targets critical infrastructure. The seeds of the threat are sown and the price of failure is clear.

“The question is: what will we see first? A massive outage that endangers millions, or a massive effort by government and industry to counter these threats?”

Gordon Hunt was a journalist with Silicon Republic