When most people hear the term “cybersecurity” they usually expect to hear a story about loss of privacy or identity theft. Or worst-case—that some company or government agency has been hacked. As bad as those invasions may be, there’s a type of cyber-attack that is far more destructive and can have far more lasting effects and yet rarely makes the news.
I’m talking about seizing control of industrial control systems. These ubiquitous hidden computers have gradually and quietly been put in charge of all manner of critical infrastructure—including nuclear power plants, the grid, water and gas pipelines, refineries, air traffic control, trains, factories, you name it.
Unlike the computers we use in our daily lives, these computers are largely invisible. They don’t have screens or keyboards. Most people aren’t aware that they exist. And yet they are embedded in low-level processes. They are everywhere because they create tremendous efficiencies and cost savings, and because they exist almost as an afterthought, they are often completely insecure. They often don’t run anti-virus software and by and large no one bothers to scan them to see if they might be infected with malicious software. And guess what? They often are connected to the Internet where a clever hacker half a world away can get access to them!
The threat is not hypothetical. There have been almost 750 control system cyber events (including both malicious and unintentional incidents). They’ve had a global impact. Industries have included power companies, pipelines, dams, planes, and trains. Why hasn’t the public heard about them? Most often because the victims didn’t realize it since they didn’t have the right forensics.
But here’s actual data: Of those control systems incidents, more than 50 resulted in casualties—as many as 1,000 deaths combined. They caused more than 10 electric outages. There were more than 50 cases involving significant releases of environmentally hazardous materials. Attacks damaged physical equipment in more than 100 cases. And most worrisome of all, there have been at least 50 incidents at nuclear power plants (as mentioned in the recently issued Chatham House report on nuclear plant cybersecurity).
The total cost is conservatively estimated to be $40 billion. And it will only increase.
In many ways, the so-called Stuxnet attack against Iranian enrichment centrifuges kicked off the era of offensive cyber-attacks. Stuxnet was successful because it attacked the plant controllers in an undetectable, unexpected manner. As an unintended consequence of this attack, many more actors in the world understand the potential for these sorts of attacks—more specifically, that an autonomous attack could fool equipment operators into thinking that their systems are all in the green while simultaneously disabling deeply rooted safety routines.
Stuxnet was a highly focused weapon designed for a single, unusual target. But not all cyber weapons need be so specialized. Closer to home, the U.S. Department of Homeland Security demonstrated an attack that could be easily used against power generators, pipelines, water stations, refineries, factories—any target that has mechanical equipment that has to operate in phase with the power grid. Code-named Aurora, the attack not only knocks equipment offline—it physically destroys it. And it’s made workable by the simple fact that there is a physical gap in protection of the electric grid.
In the wake of Aurora, analysts have posited that a coordinated attack on just nine specific power stations could knock power out across more than half of the U.S.—without the possibility of restoring service for weeks or months. As an anonymous utility executive recently told me, an outage of that caliber would disrupt society on a scale no one alive today has ever experienced.
In the face of these vulnerabilities our nation is woefully unprepared to defend itself. Nation-states such as Iran, China, Russia, and North Korea have the knowledge and capabilities to damage our critical infrastructures with cyber-attacks. Additionally, vulnerabilities are being identified on what seems like a weekly basis and cyber exploits for most industrial control systems are now freely available on the Web. That puts potential weapons of mass destruction into the reach of small-scale attackers. Such is the current state of the Cyberwar Threat.
Joseph Weiss is an industry expert on control system cybersecurity, with more than 40 years of experience in the energy industry. He serves as a member of numerous organizations related to control system security. He has provided oral and written testimony to five congressional committees and has published over 100 papers on instrumentation, controls, and diagnostics including the book Protecting Industrial Control Systems from Electronic Threats.
NOVA’s CyberWar Threat premieres Wednesday, October 14 at 9 p.m. ET on PBS. Learn more here.