The fear of attacks on critical infrastructure such as nuclear power plants, dams and electricity substations is not new – there has been a decade of commentary about threats to public services emanating from cyberspace. But governments have only recently begun to look to legal measures to mitigate these risks.
In February Barack Obama released an executive order entitled Improving Critical Infrastructure Cybersecurity, calling it ‘one of the most serious security challenges we must face.’ Australia faces the same kinds of risks, and we could look to similar measures to help protect ourselves.
Assigning responsibility for critical infrastructure protection is complex. Whilst the government has a role in ensuring the supply of essential services, up to 85% of critical infrastructure in the United States and 90% in Australia is owned or operated by private industry. Some industries have strong regulatory frameworks and well-established cybersecurity practices, but some sectors struggle to maintain basic levels of cyber resilience.
The industrial control systems that are used to operate or automate industry are a point of vulnerability; they are the mechanisms and networks that control most industrial systems, including critical infrastructure. Supervisory control and data acquisition (SCADA) systems are also vitally important. SCADA systems communicate with industrial control systems to provide operators with the capacity to control the physical parts of the system, like fans, pumps and valves. One high profile example of a SCADA attack, the Stuxnet worm, damaged Iranian centrifuges by rapidly increasing and decreasing their speed of operation.
In an ideal world SCADA systems are physically air-gapped from the internet to reduce the threat posed by hackers, malware and other hazards. But this isn’t often the case. Sometimes in an attempt to cut costs, or facilitate easier remote access, companies will integrate SCADA systems with corporate networks that are connected to the internet. This creates backdoors for malicious actors, who with the right skills can infiltrate these systems and gain control of the dams, power and water purification plants that they control.
A German University showcased how vast the problem is when it created an interactive map plotting live SCADA, industrial control and building management systems connected to the web. The researchers used open source specialised search engines to create the map. These sites crawl the web cataloguing industrial control and SCADA systems that are internet facing and can even be tailored to find specific types of systems in specific locations all around the world.
Last year the Department of Homeland Security released a report outlining 198 cyber incidents against industrial control systems in the 2012 fiscal year. Within the first six months of the 2013 fiscal year, there had already been over 200 cyber incidents. One high profile infiltration was carried out by the Chinese hacking group dubbed APT1 and allegedly connected to the PLA by security firm Mandiant. The group was caught in the act trying to interfere with a decoy SCADA water control system located in the United States. The ‘honeypot’ was established by security company Trend Micro. They used cloud software to replicate the log-in and configuration screens of a real life municipal water plant connected to the internet. In just 28 days they logged 39 attempts to gain unauthorised to the system, this included two attacks involving malware that had never been seen before in cyberspace.
These vulnerabilities, their growing visibility and increasing exploitation led President Obama to release one the more attention-grabbing mandates of his executive order. He called for the establishment of a baseline cybersecurity framework to reduce the risk to critical infrastructure.
After a series of consultations with industry, the draft version of the framework was released last week. It remains a voluntary framework, but it is an important first step. It also has the effect of opening up companies to potential litigation if they fail to meet minimum cybersecurity benchmarks.
Other countries including Australia should follow Washington’s lead, and look to implement a federal-level framework that stipulates minimum cybersecurity standards for critical infrastructure. The Australian Government already has strong existing relationships with critical infrastructure operators through the Trusted Information Sharing Network. Building on that, Canberra should create a cybersecurity minimum standards framework to protect Australia’s critical infrastructure.
Jessica Woodall is an Analyst at ASPI’s International Cyber Policy Centre. Image courtesy of Flickr user peter castleton.