Cyber attacks on the nation's critical infrastructure (CI) are up — way up, particularly in the energy sector. The Department of Homeland Security's (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reported earlier this year that there were a third more cyber incidents (111) reported by the energy sector in the six-month reporting period ending in May than in the previous 12 months (81).
But so far, the power grid, transportation, water and other control systems dont seem to be going down in any catastrophic way. And an executive order this past February from President Obama calls for frameworks for the protection of CI to be implemented by February 2014.
Does that mean the multiple warnings about catastrophic damage to U.S. industrial control systems (ICS) from cyber attacks are overblown?
There is still debate about that among experts. As some regularly point out, regions of the nation have survived major blackouts in the past, including the blackout and other associated damage to the northeast from Superstorm Sandy just months ago, in October 2012. Given that, surely the U.S. can survive a major CI cyber attack.
Bruce Schneier, author, security guru and chief security technology officer at BT has said more than once, here and here, that while the risks of damage to CI are real and could be significant, they are not at the catastrophic act-of-war level. "Throughout history, the definition of a 'major war' has involved casualties in the hundreds of thousands. That means dead people," he has said.
Jason Healey, director of the Cyber Statecraft Initiative of the Atlantic Council, noted that, "government leaders have warned of a 'digital Pearl Harbor' for 20 of the 70 years since the actual Pearl Harbor, so clearly these things are more difficult than we normally think. It is easy to attack something and knock it down, but really difficult to keep it down over time."
But then there is Joe Weiss, managing partner at Applied Control Solutions, who has been pointing out for years that power grid equipment supports just about every critical service: water, oil and gas systems, manufacturing, telecommunications, transportation and banking.
More significant, Weiss said, is that many of the large components of that grid are not made in the U.S. and cannot be replaced in days or weeks. "A targeted attack against this equipment can cause outages of up to nine to 18 months or more," he said.
That echoes James Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS), who told CBS's "60 Minutes" in November 2009, that major electrical generators require a lead time of three or four months just to order them.
"It's not like if we break one, we can go down to the hardware store and get a replacement," he said.
And even if there is no physical damage, the vulnerability of CI systems could cause political problems. Chris Petersen, CTO and cofounder of LogRhythm, notes that the goal may not always be to take a system down. For some, he said, gaining a foothold into U.S. CI systems, "might prove to be a valuable deterrent against U.S. policies or actions."
There is unanimous agreement, however, that bad actors — likely isolated nation states like Iran and North Korea — are testing the vulnerabilities of U.S. infrastructure at unprecedented levels, and that the reported numbers likely aren't even close to the real total. There is also agreement that CI in the U.S. is highly vulnerable to cyber intrusion.
"Regulated utilities are beholden to compliance requirements," said Jeff Hudson, CEO of Venafi, "so that is their focus, not keeping ahead of cybercriminals. There's little incentive to get out from under regulation and spend precious money on cyber defenses."
"Vulnerability researchers have confirmed that there is a serious problem with control systems security, added Tom Cross, director of security research at Lancope.
ICS-CERT reported, "a wide variety of threats ranging from Advanced Persistent Threats (APT), to sophisticated and common malware found in the ICS environment. Other incidents in the water and commercial sectors involved Internet-facing systems with weak or default credentials."
Kyle Wilhoit, a threat researcher at Trend Micro, reported earlier this year at BlackHat Europe and then in a guest commentary in the ICS-CERT Monitor, on the number and sophistication of attacks on honeypots set up to look like a rural water plant.
"What's scary about the findings isn't that these devices were attacked, but the way in which (they) were attacked. Anything that is Internet facing will likely get attacked at some point," he wrote.
Wilhoit said the attackers demonstrated knowledge of Modbus communications protocol, and that 17 of the intrusions would have been considered catastrophic to water pressure pumping system.
He said he did not know if attacks like this are happening in the real world, but wondered, "if a controller were to malfunction in a rural area of the country, would the SCADA engineer even search for the cause of the malfunction, or focus primarily on getting the controller back up and running?"
That, Weiss said, is a big piece of the problem — engineers might not even know if a problem was caused by a cyber attack. "We really dont have very good control system cyber forensics," he said.
The sophistication of attacks is accelerating as well. Hudson noted that just three years ago, "the nation states behind Stuxnet stole digital certificates and used them against Iranian ICS targets. Theft and use of digital certificates was thought mostly to be theoretical and not a real attack," he said.
"Fast forward to 2013 and McAfee found the number of malware that used stolen digital certificates the past year grew 10 times! Very scary."
Finally, while most experts applaud President Obama's executive order focusing attention on protecting CI, most are dubious that government frameworks will keep up with rapidly evolving threats. There is also some concern that not all operators will sign on, since the frameworks will, at least at the start, be voluntary.
"I'm hopeful, but we'll see," said Jason Healey. "If it becomes a compliance-style checklist like FISMA or PCI, it will start out as marginally useful but rapidly be out of date."
Chris Petersen said since the design of the frameworks is not intended to be "overly prescriptive," he thinks it will, "provide best practices and guidelines that have and will continue to have longevity."
But Weiss said while the president's executive order is well intended, it is needless duplication. "The ISA99 (International Society of Automation) security standards for the ICS community have been sitting there for how long?" he said.
"It is still a work in progress, but the government could have said this is what needs to be done and be done with it."
No matter where the standards come from, however, they need the participation of CI operators. And Larry Zevlin, director of the National Cybersecurity and Communications Integration Center (NCCIC) told Federal News Radio recently that some CI operators are loathe to share information with one another or the government.
"When you have a natural disaster or a terrorist event, it's a rush to the incident or to the crime scene," he said. "In cyber, it's neither. This is a competitive business, and in some cases the information we're talking about is how people are making their living.
"There seems to be a misperception out there that everybody's going to share. No, they're not. They're just not, because in some cases this is their business, in other cases this is about their reputation, and in some cases they're worried about government regulation. These are valid fears, and we have to understand that."