I’m often asked by reporters if ICS are so insecure why there have been no dramatic and devastating impacts of ICS cyber attacks. The only answer I have is that the consequences to the attacker if they are caught have exceeded the reason or motive up until now.
Almost all researchers or hackers don’t want to cause huge economic damage, severe harm to a large number of people’s live, or even loss of life. The few that don’t have moral qualms have to fear the ramifications if they are caught. Similarly even though the international rules of cyber attacks are in flux, a nation state or NGO can imagine the response if they were caught. Also, a large number of the countries capable of a cyber attack would likely be harmed by a critical infrastructure cyber attack as it affects their customers, suppliers or the world economy.
With this background, consider some of the statements from yesterday’s Senate Committee Hearing. From Kim Zetter of Wired article (emphasis added):
DNI James Clapper was a singular voice of reason when he told the Senate Select Committee on Intelligence that lack of skills on the part of most attackers and the ability to override attacks on critical infrastructure with manual controls would make such attacks unfeasible in the near future. He also said that nation states that might have the skills to pull off such an attack lack the motive at this point.
“We judge that there is a remote chance of a major cyber attack against U.S. critical infrastructure systems during the next two years that would result in long-term, wide-scale disruption of services, such as a regional power outage,” Clapper said in his statement to the committee. “The level of technical expertise and operational sophistication required for such an attack — including the ability to create physical damage or overcome mitigation factors like manual overrides — will be out of reach for most actors during this time frame. Advanced cyber actors — such as Russia and China — are unlikely to launch such a devastating attack against the United States outside of a military conflict or crisis that they believe threatens their vital interests.”
The Director of National Intelligence is getting bad intelligence. The technical expertise is definitely not out of reach of any team with moderate skills or resources. Take one cyber security professional, add one automation engineer and add a sector expert, i.e. chemical engineer, nuclear engineer, electrical engineer, and you have the technical expertise. If you want to take out the ICS it takes less resources; if you want to do some very sophisticated process modification it could take a larger team. The key is the technical resources required are not rare or expensive.
The operational sophistication is an area I’m less qualified to comment on. However all that is needed is logical network access to the system you want to attack. The adversary needs to hack their way in or just gain one time physical access and deploy their own remote connection by putting in a power strip. Is it really so operationally difficult to recruit a small team and arrange this access for one or two of the multitude of critical infrastructure systems in a country?
Given the insecure and fragile state of the SCADA and DCS that monitor and control the critical infrastructure, it’s worrisome we are pinning our hopes on the fact that the attackers fear of reprisal if caught exceeds their motivation to launch an attack.
——
A second interesting statement from the hearing was reported in a NY Times article:
The chief of the military’s newly created Cyber Command told Congress on Tuesday that he is establishing 13 teams of programmers and computer experts who could carry out offensive cyberattacks on foreign nations if the United States were hit with a major attack on its own networks, the first time the Obama administration has publicly admitted to developing such weapons for use in wartime.
I would like to be clear that this team, this defend-the-nation team, is not a defensive team,” Gen. Keith Alexander, who runs both the National Security Agency and the new Cyber Command, told the House Armed Services Committee. “This is an offensive team that the Defense Department would use to defend the nation if it were attacked in cyberspace. Thirteen of the teams that we’re creating are for that mission alone.
Is this the beginning of mutual assured destruction (MAD) defense in the cyber world?
Image by Chairman of the Joint Chiefs of Staff