Critical infrastructure protection: Are we prepared for a massive cyberattack on U.S. systems?

There is no debate in the security community that the nation needs to protect its critical infrastructure (CI) from cyber attacks. But not everybody agrees that all infrastructure sectors are equally critical.

According to the most recent Presidential Policy Directive on cyber security, the U.S. has 16 CI sectors, ranging from transportation to energy, food, water, financial services and others.

But Mark Sparkman, a former CIA officer and now a senior international affairs analyst with the RAND Corporation, argued in a recent post on CNN that "cyber Armageddon" scenarios focused on physical infrastructure are overblown. Major sections of the U.S., he noted, have gone without electricity and water for days or weeks following natural disasters, and life has returned to normal.

However, that, he said, would not be the case with finance.

"Want real chaos? Destroy confidence in the banking system (or even a part of it), and just stand back and watch," he wrote, adding that a major attack that manipulated or destroyed the assets of depositors would "establish a new field of warfare & (I)f the attacks persist, target nations must be ready to escalate by returning fire at a rate and magnitude that will deter further attacks."

[Business continuity and disaster recovery: The basics]

But that brought a retort from Joe Weiss, an industrial control systems (ICS) expert, who said Sparkman's post simply means that "even former CIA officers don't understand ICS cyber security."

Weiss, a managing partner at Applied Control Solutions, is not arguing that a major attack on the country's financial system would be trivial. But he insists that a similar attack on the power grid would be just as bad, or worse. After all, financial institutions need power to operate. As "marcBlackmer," a commenter on Weiss' blog post put it, "If I may point out the obvious --no power, no banks."

It is not a given, Weiss said, that life would return to normal in a few days or weeks after a major cyber attack on the power grid.

"Cyber attacks can damage or destroy critical equipment such as transformers, boilers, turbines," he said.

These are custom equipment & many of these large components are not even made in the U.S. anymore. A targeted attack against this equipment can cause outages of up to nine to 18 months or more."

James Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS), made the same point on the CBS show 60 Minutes in November 2009, when he told correspondent Steve Kroft, "The big generators that we depend on for electrical power are one, expensive, two, no longer made in the U.S., and three, require a lead time of three or four months to order them."

[Nation's power grid under constant cyberattack]

"So, it's not like if we break one, we can go down to the hardware store and get a replacement. If somebody really thought about this, they could knock a generator out, they could knock a power plant out for months. And that's the real consequence."

Weiss adds that the power grid equipment supports just about every critical service -- water, oil and gas systems, manufacturing, telecommunications, transportation and yes, banking.

Sparkman, in an interview, said he had no problem with what Weiss had written.

"I just thought that the potential for attacks on the financial system needed more attention," he said.

And most in the security community think both Sparkman and Weiss have legitimate points. Chris Petersen, CTO and cofounder of LogRhythm, said both are correct, in the sense that both the financial system and ICS need aggressive protection from what he called "very severe threats."

He said in many ways the financial system is much more secure than ICS since, "from the moment banks were created, their mission was to protect assets. So they've been working on securing themselves since the beginning. For physical infrastructure, the priority is not security, its availability. They don't operate in a secure mindset because they were never designed that way."

But he agrees with Weiss that, as secure as banking systems may be, none of that will matter if the power goes out.

"It would be like a big, brick building on a foundation of sand," he said. "A prolonged power outage would be catastrophic to the banking system."

Francis Cianfrocca, founder and CEO of Bayshore Networks, said there are actually "a lot of points of contact between them (the banking/financial system and the power grid)."

And he suggested that banks have a direct interest in maintaining the security of the grid.

"Who owns a lot of the power systems?" he said. "Banks do. They are big-time owners of power generation, so they are very involved in their security."

But he, like Petersen, Sparkman and Weiss, agrees that the, "potential for catastrophic impact, including loss of life and illness is real and very significant."

How real was demonstrated in 2007 at the Idaho National Labs in what was called the Aurora Project, where a cyber attack destroyed a diesel generator.

"If you can hack into that control system, you can instruct the machine to tear itself apart. And that's what the Aurora test was, said James Lewis, speaking on 60 Minutes.

At the time, CNN quoted economist Scott Borg, who produces security data for the federal government, saying that if a third of the country lost power for three months, the economic price tag would be $700 billion, or, "the equivalent of 40 to 50 large hurricanes striking all at once."

It is not that difficult either, Weiss said, noting that much of the hardware in ICS has passwords that are hard-coded and can't be changed. "This is not to say your next-door neighbor could do it," he said. But smart people could. There are 'metasploits' on the web that you can buy that are meant to go after control systems."

Why, then, hasn't something on the level of a "cyber 9/11" happened already?

[Inside the new World Trade Center]

In some nations it has, said Francis Cianfrocca, pointing to the brief war in August 2008 between Russia and Georgia, in which Russia used cyber attacks in advance of, and during, it's more conventional kinetic operations. "A key aspect of that was massive destabilization of Georgia's financial structure," Cianfrocca said. "It included financial, telecom and critical infrastructure and was very successful."

Weiss said another complication is that it may be difficult to tell if damage to CI is caused by cyber, and even more difficult to tell who actually did it.

Given all that, some experts say there is still reason for some optimism.

"There has been a lot of progress in the last five years," said Chris Petersen. "There are a lot of good people in Washington who are focused on it."

Chris Larsen, malware research team leader at Blue Coat, points to attacks on banks in South Korea several months ago and notes, "it didn't cause the end of the world. I haven't read anything since then that says South Korea is back in the Stone Age."

Larsen said there is plenty of reason for concern about vulnerabilities, but he doubts that attackers could take down the nation's entire infrastructure in any sector for months at a time.

"I think there is some redundancy built into those systems," he said.

At present, however, Cianfrocca said the nation's preparedness, "is not equal to the threat." While he said there is a lot of "very good work being done" in cyber defense, "an attacker only has to be right once, and defenders have a very broad perimeter to protect. I'd say there is a two- to three-year gap between the capabilities of the attackers and defenders."

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Blue Coat SystemsCBS CorporationCNNLogRhythmScott CorporationTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts