Last week, reports began to circulate suggesting Russian hackers have started to target the computer systems of nuclear power plants in the United States.
The attacks signal that Russia appears intent on meddling in more than just elections within the country and raises questions about the preparedness of critical infrastructure to turn back a cyberattack.
Russia is no stranger not only to hacking but to penetrating parts of the power grid. Hackers backed by the country or operating as part of a military unit have wreaked havoc on Ukrainian infrastructure, including knocking out power for 700,000 as part of a cyberattack. Israel’s electric grid has likewise been the target of Russian malware.
Last month, security experts have identified malicious software crafted and used by the Russian government that can manipulate settings and actively cause harm to critical infrastructure in a way that could cause physical damage in addition to cutting off power for citizens.
Taking down large chunks of the electric grid in the U.S. is a much more complicated task for hackers than it is in a nation like Ukraine or Israel, but that is not the result of better protection or security protocols. Instead, it’s the result of the energy business in the U.S. is a mess of deregulation and lagging best practices.
According to Stewart Kantor, CEO and co-founder of Full Spectrum, a company that specializes in secure communications, there are more than 3,300 electric utilities across the U.S. Some are privately held companies, others are publicly traded, some operate under the ownership of government organizations while some are cooperatives. Most are regulated at the state level and standards—especially when it comes to cybersecurity—are often insufficient.
Many utility companies operate as their own entity separate the public grid. Kantor explained that utilities often have their own infrastructure for wireless communications designed to allow for means to communicate even when public towers go down.
Those communications often rely on legacy infrastructure like copper lines once relied upon by phone carriers to handle communications for landlines. But as landlines have disappeared, so too have the copper lines and other equipment that was once standard for the public, leaving utility companies in a bind.
Technically speaking, it’s easy for a utility to call up its local carrier, get a cellular modem and connect to the telecommunications company’s network. The problem, according to Kantor, is doing so “introduces points of vulnerability.”
Emerging technologies designed to aid in the transfer of billions of bits of data per second provide a great service to the public but spell trouble for critical infrastructure that still relies on SCADA (Supervisory control and data acquisition) data to interact with its systems.
Unlike data-heavy streams of video and media, SCADA data is a serial type of connection designed to transport low-speed data—often important bits of information gathered from mission critical systems. Electric grids, oil and gas pipelines, railroads and nuclear plants all count on SCADA data.
"Historically SCADA data was transported over dedicated lines from the phone companies with a fair amount of security,” Kantor explained. “You'd have to physically get to the phone line or tap it to intercept it. The physical design of the network made it hard for other people to get in."
Now, as copper lines have been pulled up and more and more telecommunications companies handle data wirelessly—even off-loading it to Wi-Fi whenever possible—that SCADA data is at points converted and transferred over the standard wireless protocol that moves most of the data the average person interacts with over their wireless network.
In order for a person managing a nuclear power plant for example to more efficiently manage all these remote devices, they now use internet protocol and have many more devices they can talk to,” Kantor said, noting that many electromechanical devices now include built-in servers and other means of connecting wirelessly.
The danger, though, is every one of those interactions that take place across the internet creates a new access point for an attacker to target. “Malicious code can spread very rapidly to all sorts of various locations within what [a utility] is trying to manage."
The issue is essentially the same that is presented to consumers by the Internet of Things. There is a network within a person’s house that they can protect and connect to securely. Each time a new internet-connected device is added to that network, it creates a new potential point of vulnerability that a bad actor can target and attack to gain access or do damage.
One needs to look no further than the 2016 software update that hit owners of Nest connected thermostats. A bad line of code—one produced by Nest’s own engineers, no less—managed to drain the battery of the devices and resulted in users losing complete control over their thermostats.
The fallout included plenty of unhappy customers, including some situations in which pipes burst and physical damage was caused as the result of bad code. It’s not too hard to imagine a similar, malicious attack being directed at the critical systems designed to monitor activity at utility companies or a nuclear reactor.
Kantor said there are two primary types of attacks on computer systems used by critical infrastructure. The first is a DDoS attack, which could be carried out essentially at any time if a malicious actor wanted to direct huge waves of traffic at a public-facing IP address.
DDoS attacks aren't necessarily destructive in the way that malware can be, but it is disruptive. By directing the wrath of hundreds of thousands of machines at a single point, such an attack can make a device inaccessible or knock it offline completely.
The second and potentially more harmful type of attack spreads malware throughout a system, opening the compromised machines up for additional damage or manipulation. Such an attack could make changes to settings, wipe machines of important data and control interfaces or in some cases do irreparable damage.
One needs to look no further than Stuxnet, the powerful, malicious computer worm developed by the U.S. and Israel that was unleashed on Iranian nuclear facilities. The cyberattack reportedly destroyed one-fifth of the nation’s nuclear centrifuges.
To make sure a similar style attack doesn’t cause devastation to a nuclear plant or other vital facilities within the U.S., Kantor advises embracing what was once standard for utility companies—get off the public communication grid to cut off the potential for attack.
"I think utilities are going to have to isolate more and more these critical applications for communications layers,” he said. “We're also going to need more redundant systems and backup systems."
According to Kantor, while technological advancements have done wonders for many, the rapid adoption has left critical infrastructure in a difficult spot. "The danger I see is the pace at which we are adopting the ability to automate things," he said. "Everything is faster, easier. We need to slow it down a bit."
Kantor’s concern seems to be borne out in a recent study conducted by the SANS Institute, which found that 40 percent of security experts in charge of protecting critical infrastructure systems would not be able to detect a cyberattack and would be unable to react if one were to occur—a point of data made all the more troubling by the fact that 69 percent of experts say threats to such systems are increasing.
It’s also worth noting that even if all of the issues standing in the way of securing critical infrastructure were solved—from regulatory framework to budget concerns to setting up completely private and nearly impenetrable communication networks—the systems would not be entirely safe from attack.
All it takes is a compromised flash drive that contains malicious code or clicking on the wrong link from a phishing attack to allow a malicious actor in, and there is no real defense against those types of human errors. However, when it comes to such vital systems, it’s better to take every possible step to secure the system and still experience the breach than to not bother and open up more possibilities for attackers.