From the outside, infrastructure assets look like sturdy pieces of kit. Sure, an oil pipeline can always be blown up; attacks against airports can cause heavy casualties and severe disruption. But due to their size and protection, disabling them for good requires the application of tremendous force. Unless it is done from the inside.
That, in essence, is why cyber-attacks on critical infrastructure are so dangerous. Get the digital keys to a power plant, and you can shut off the grid at the flick of switch. An example of this kind of attack occurred last December in Ukraine, where the entire Ivano-Frankivsk region stayed in the dark for six hours. Highly sophisticated and deftly synchronised, the assault was rapidly linked to Russian hackers. To carry out their misdeed, which they had apparently been preparing for months, the perpetrators targeted the power plant’s supervisory control and data acquisition system (SCADA). Attacks of this type had already occurred in the UK, Italy and Malta. A report by Dell estimates that these types of cyber-assaults doubled in 2014 to more than 160,000.
That even a fraction of these can be successful raises scary prospects. Unfortunately, the stats are not encouraging. Despite cyber-attacks being chronically under-reported (an expert told us the average time between breach and discovery is nine months), a recent survey by the Organisation of American States found that 200 out of 500 critical infrastructure suppliers in North and South America have recently experienced attempts to shut down their network. More than half also reported attempts to control their equipment from afar.
Evidence also suggests nations are not very well prepared, including when it comes to protecting their most sensitive facilities. The Nuclear Threat Initiative (NTI), a non-profit, warns that many countries still do not have the necessary laws and regulations to secure plants against cyber-assaults. Out of the world’s 47 states it says have nuclear capabilities, NTI’s 2016 Index gives 20 nations a score of zero. UK think tank Chatham House also finds that the nuclear industry falls behind other sectors in terms of cybersecurity.
Attackers have various motives. Some are criminals hoping to hold governments and utilities to ransom. Others are state-backed agents allowing nations to pursue geopolitical aims with plausible deniability. Indeed, while attacks are being traced back more easily than before, that is often not enough to deter those who give the orders. International treaties covering these issues have a limited impact: holding signatories accountable and determining attackers’ exact identity is difficult.
Yet a global response could still prove useful. Arms control treaties have made a difference in the past, as the relative success of nuclear non-proliferation treaties has shown. One option states could look into is a pact of non-aggression in cyberspace, following on what was agreed between the US and China last year – and limiting its initial scope to critical infrastructure, to speed up agreement and implementation.
But getting to a critical mass of signatories will take time. In the meantime, infrastructure operators face the urgent imperative to make their assets cyber-proof. Hackers often manage to get in through ‘back doors’ – vulnerabilities in control systems that make them porous to external networks. Operators should spend more on closing them. Attackers also like to exploit the weakest link in the defence chain: people. Adequate resources should be devoted to training staff so that they do not open malicious files.
Such efforts will be all the more efficient if information is shared between governments, utilities and suppliers, helping spread best practices and making industry players more nimble. Countering cyber threats is often described as an endless game of cat and mouse, with businesses forever rushing to develop new patches as fresh vulnerabilities emerge. Against hackers, knowledge is power – it should be shared.