Facebook Icon   Linkedin Icon   Twitter Icon   YouTube Icon



Critical Infrastructure and the Cyber Weapon of Mass Destruction
By Dr. A.J. Briding, Ph.D., CEM, CORE, PMP, CHS-V

Last November was Critical Infrastructure Security and Resilience Month, but I put off discussing critical infrastructure (CI) due to the more compelling topics of terrorism and specifically, the Islamic State. This is a good time to take a look at some of the evolving aspects and issues that affect CI security.

As always, I prefer to start by offering applicable definitions and standards to help frame the discussion.

A Quick Primer: What Is Critical Infrastructure?

Critical infrastructure is a term commonly used today. The Department of Homeland Security (DHS) describes CI as those functions that provide “the essential services that underpin American society and serve as the backbone of our nation’s economy, security, and health” (Dept of Homeland Security, 2016). That definition casts a broad net, and accordingly, there are 16 CI sectors that DHS uses to categorize the various functions that provide those essential services.

Certainly, some sectors provide services that it would be hard to do without for any length of time, and which, if lost, could reduce sections of the country to survival mode. Examples of this are power generation, water treatment and distribution, health care and emergency services. If you take any of these away Americans would be significantly impacted.

The remaining sectors are those we generally take for granted, but if lost in any capacity, could have very significant secondary and tertiary consequences to “our nation’s economy, security, and health.” An important observation to make is that these sectors do not generally operate in isolation but are interconnected. Any significant loss in one sector can reverberate through other sectors. Some of these are essential for physical necessities, or pose a physical risk to the public should they be interrupted. Others are essential to maintaining our way of life and would disrupt everyday life profoundly if they are lost.

Critical Infrastructure Sectors

The following are the CI sectors defined by DHS, listed in alphabetical order. Each has been assigned a sector-specific agency (listed in parentheses) to take the lead in representing these sectors (DHS, 2015).

  • Chemical (DHS)
  • Commercial Facilities (DHS)
  • Communications (DHS)
  • Critical Manufacturing (DHS)
  • Dams (DHS)
  • Defense Industrial Base (DOD)
  • Emergency Services (DHS)
  • Energy (DOE)
  • Financial Services (Dept of the Treasury)
  • Food and Agriculture (DoA, DHHS)
  • Government Facilities (DHS)
  • Healthcare and Public Health (DHHS)
  • Information Technology (DHS)
  • Nuclear Reactors, Materials, and Waste (DHS)
  • Transportation Systems DHS, (DOT)
  • Water and Wastewater Systems (EPA)

It’s certainly worth thinking about how each of these plays a prime role in one of those dimensions in the definition: the nation’s economy, security, and health. Personally I put security at the front of this list.

Some of these provide obvious lifeline support, while others, should they be damaged or attacked, might pose physical threats ranging from local disruption to catastrophe. Some of these sectors, should they be impacted, would result in a delayed reaction which primarily affects essential elements of our lifestyle. When you think about homeland security, each of these has a prominent role.

National Infrastructure Protection Plan

If you conduct a basic risk assessment, you’ll quickly find that in a worst-case scenario, the risk to our homeland security from these sectors pose could be catastrophic. This makes CI risk management a top national priority. Accordingly, DHS has developed the National Infrastructure Protection Plan (NIPP), the latest version being released in 2013. One of the responsibilities of each sector-specific agency is to build a Sector-Specific Plan (SSP) to manage the risk in each sector, following the guidance in the NIPP. The NIPP Risk Management Framework is a useful model for any risk management program. (See Figure 1)

Figure 1: The National Infrastructure Risk Management Framework (DHS, 2013)

Two elements common throughout the NIPP and each SSP are security and resilience. Security serves primarily to prevent and mitigate an intentional attack while resilience is to ensure that a minimum level of services are provided in the case of natural or man-made disaster, as well as intentional acts.

To put that in perspective, it’s worth reviewing the definition of resilience:

“The ability of systems, infrastructures, government, business, communities, and individuals to resist, tolerate, absorb, recover from, prepare for, or adapt to an adverse occurrence that causes harm, destruction, or loss” (DHS, 2010).

Due to the complexity, distributed components, interconnectedness, and other factors involved with our national critical infrastructure systems, tackling a comprehensive risk management plan can be a challenge. Fortunately, the disbursed and redundant nature of many of the sectors does naturally provide for some of that resilience.

Take note of the layering in the definition of “resilience” as it will take all of the players mentioned, from the national government on down to the individual, to provide adequate resilience to a catastrophic event. We understand the threat that natural disasters, such as a major earthquake, can pose to our infrastructure. It has become clear, however, that we face additional threats, such as from cyber attacks.

The Omnipresent Villain: Cyber Attack

The Internet makes cyber attacks possible, anytime and from anywhere there is connectivity, and generally with anonymity. This is the perfect environment for covert and clandestine operations. Even without the connectivity that allows for remote access and control, cyber attack and espionage can infiltrate offline systems using human engineering and covert operator tactics. For instance, when a system is designed to operate only within a discrete, secured network, the Internet of Things provides opportunity for access from the Internet that is not intended (i.e., via printers and other peripheral equipment that have Internet connectivity capability built in).

When you look at that list of CI sectors, their dependence on information technology is obvious. Even manufacturing, chemical processes, transportation and other sectors generally are managed electronically and across networks. You'll also notice that the Risk Management Framework identifies three elements of critical infrastructure, specifically identifying cyber as one of them.

Supervisory control and data acquisition (SCADA), industrial control systems (ICS), and programmable logic controllers (PLC) have become the backbone of large-scale operations. These had previously been relatively safe from attack, as they generally were managed within closed networks. Such areas are becoming more accessible and therefore more vulnerable to attack.

There have been recent events that portend this risk to critical infrastructure. Two that have been in the national media recently were the hacks in 2013 which were purportedly by Iranian hackers on a small dam in New York and on the Calpine Corporation, and the attacks that brought down the Ukrainian power grid. The Ukrainian attack caused a regional blackout in December that affected 100,000 people.

After extensive analysis, it appeared that the Iranian hacks were superficial, and neither the dam’s control system nor the Calpine Corporation’s network controlling its energy assets were breached (Vijayan, 2015). Yet even though this was only recently reported, the hackers have had over 2 years since the hacks to improve their capabilities. More sophisticated adversaries such as Russia and China, both of which have been in the news regarding cyber attacks, would likely have much better success at those types of penetrations.

The question would then be, to what purpose? Less sophisticated hackers might simply have local disruption in mind, which would not generally lead to exceptional consequences. Terrorists such as the Islamic State (IS) however, would be much more ambitious and attempt to cause widespread disruption. Please note that I keep using the term disruption because “cyber attacks” have been labeled as a weapon of mass disruption.

IS, even with its attempts to recruit cyber experts, is unlikely to develop a formidable level of cyber warfare capability anytime soon. When you consider large nation-states such as China and Russia, their primary goal would more likely be cyber espionage. This doesn't mean they would stop there, but might also seek to penetrate a network clandestinely and set up the capability to bring it down. This option could then be used should relations with the U.S. deteriorate into direct conflict.

That brings us to the Ukrainian power grid hack. The expert consensus is that it was a coordinated cyber attack, likely by Russian-sponsored groups, against the Ukrainians due to the ongoing conflict in the region. Not only was the power grid penetrated, but distributed denial of service attacks brought down the phone support centers to add to the confusion and complicate response (Roberts, 2016).

This attack is noteworthy as it is “one of the first significant, publicly reported cyberattacks on civil infrastructure” (Tuptuk & Hailes, 2016, ¶2). That potential has been demonstrated before, however, during the 2010 Stuxnet virus attack. This was a classic example of the power of cyber attack on an infrastructure. This involved a virus which attacked the PLCs of Iran’s nuclear centrifuges and its computer systems, causing a continuing series of malfunctions and destructive commands.

Wired Magazine called Stuxnet “the world’s first digital weapon,” due to the physical destruction it caused by sending commands to the centrifuge PLCs that caused their malfunction and failure (Zetter, 2014). Perhaps two of the more interesting aspects of this episode are that even with the extensive secrecy and security around Iran’s nuclear program, it was breached. This most likely happened due to an agent inserting a thumb drive with Stuxnet directly into the network. The clandestine nature of the virus and its activities prevented its discovery until almost 2 years after it was introduced into the system.

These incidents demonstrate that cyber attacks are constantly evolving and progressing in capability and that they have the ability to generate physical destruction, either directly, as with the centrifuges, or indirectly, such as overriding dam flood gate controls. Imagine a saboteur getting into major control networks within any of those CI sectors and the potential for catastrophic results is evident.

Devastation would not have to be physical. Consider the primary, secondary, and tertiary effects that would be caused if the financial sector were to be crippled. In these worst-case scenarios, a cyber attack would be elevated to join the ranks of weapons of mass destruction.

Final Thoughts

These are worst-case scenarios and for those in the CI risk management business some might argue, and accurately so, that “squirrels are a bigger threat than hackers to US power grid” (Space Rogue, 2016). That of course assumes that your risk mitigation strategy is to address the most likely threats, not the most consequential, While this isn't a bad strategy for smaller operations, it doesn't fit the needs of all stake holders. Regional, state, and national level CI managers and users spanning these jurisdictions should start to look at the more consequential threats, and minimally have backup plans for significant critical infrastructure failure. The bottom line is that if you need to be able to conduct the minimum level of essential operations without power, communication and transportation networks, you might need to get back to basics. This might mean grease boards, clipboards with paper checklists, and runners as these all have been used successfully in the past. Even with our leaps in technology, such old fashioned measures may still play an interim role in future operations.

References

Department of Homeland Security (January 8, 2016). What is critical infrastructure? Official website of the Department of Homeland Security. Retrieved January 14th, 2016 from www.dhs.gov.

Department of Homeland Security (October 27, 2015). Critical infrastructure sectors. Official website of the Department of Homeland Security. Retrieved January 14th, 2016 from www.dhs.gov.

Department of Homeland Security (2010). DHS Risk Lexicon. Washington D.C.: Department of Homeland Security.

Department of Homeland Security (2013). NIPP 2013: Partnering for Critical Infrastructure Security and Resilience. Washington D.C.: Department of Homeland Security, p15.

Roberts, P. (2016). “Experts: Ukrainian cyberattack on power supply a ‘wake-up call’ for US.” Christian Science Monitor, January 13, 2016. Retrieved from www.csmonitor.com/world.

Space Rogue (2016). “Opinion: Squirrels are a bigger threat than hackers to US power grid.” Christian Science Monitor, January 6, 2016. Retrieved from www.csmonitor.com.

Tuptuk, N. & Hailes, S. (2016). “The cyberattack on Ukraine’s power grid is a warning of what’s to come.” Phys.Org, January 13, 2016. Retrieved from www.phys.org.

Vijayan, J. (2015). “Experts separate fact from hype in reports of Iranian hacking.” Christian Science Monitor, December 24, 2015. Retrieved from www.csmonitor.com/world.

Zetter, K. (2014). “An unprecedented look at Stuxnet, the world’s first digital weapon.” Wired. Retrieved from www.wired.com.


Dr. A.J. Briding, Ph.D., CEM, CORE, PMP, CHS-V, has been involved in emergency management and military operations for over 40 years. He holds the CHS-V, Certified Emergency Manager (CEM), and Certified Organizational Resilience Executive (CORE) certifications, and is a Project Management Professional (PMP). His PhD is in Public Policy and Administration, with concentration on homeland security policy and coordination; he also holds an MS in Laser Engineering. He teaches courses on intercultural competence for the Air Force and The Impact of National Cultures on Resilience Programs for the International Consortium for Organizational Resilience (ICOR) online.

icons fonts



Copyright © 2017 American Board for Certification in Homeland Security, CHS®. All Rights Reserved.
2750 East Sunshine St. Springfield, MO 65804   -  1 (877) 219-2519