Articles like this are very irritating. They are short of detail and long on hype. And when that hype focuses on the wrong threat, it becomes the threat itself.
This WSJ article is a typical case. These stories are not new and the pop up from time to time usually focused on Russian or Chinese hackers — and in this case some unholy alliance of both (I’m surprised that Al Qaeda wasn’t thrown in to this “Haxis of Evil” :)) Some have suggested that the article was planted for political purposes but, regardless, the hype seems to focus on the wrong threat.
Since there are no details in the article the author attempts to use an example to hype the threat: the infamous Australian sewage example. However, this just proves the overall uselessness of the entire article.
First, the “sewage hacker” case was an inside job. The attacker was “employed by the company that had installed the system” that he later “hacked”. Second, he had specialized knowledge of the system (related to his “insider” status):
After a brief police pursuit from the Sunshine Coast towards Brisbane, Boden was run off the road. In his car was the specialized proprietary SCADA equipment he had used to attack the system, and a laptop; however, it was a piece of $18 cable that ultimately led to his downfall.
Grounds for charges were slim, but the handmade cable showed he had the technical capability to hack the Scada system.
The laptop found in his car contained enough messages to prove he sent commands to disrupt various pump stations and that, combined with proprietary radio equipment and specialized cable, was enough to find him guilty of what has been dubbed the first case of critical infrastructure hacking in Australia.
Third, the attack did not occur over the Internet.
“We worked out he had to be within a 25-mile radius, but one night we had not seen any evidence of hacking until he came on about 6.30 a.m. We had private investigators put cars along all the bridges and overpasses from the Sunshine Coast to Brisbane, because we knew the description of his car and knew he would be driving past. The investigators waited until they saw him on the highway and contacted police to intercept the car.
“When police went to intercept him, he did a runner; the police then ran him off the road and found a car full of proprietary gear. No one had seen him hack our systems, but from his laptop we were able to find the last recorded event and messages sent which exactly matched our SCADA radio monitoring systems.”
So, following the logic in the WSJ article the Chinese and/or Russian hackers would have to drive (can you do that over the Internet?) to within 25 miles of their targets — after having previously been employed by them — in order to conduct their attacks.
Now, the point here is not to diminish the threat of attack against critical infrastructure but to point out that the hype-based approach ends up bringing focus on the wrong kinds of threats. By focusing on external Internet-based threats (that may or not really exist) the focus on the insider threat is lost.
In many cases the insider threat is of more importance than an external, Internet-based threat (especially when such systems are *not* connected to the Internet). A recent case concerning an oil platform is yet another example:
A Los Angeles federal grand jury indicted a disgruntled tech employee Tuesday on allegations of temporarily disabling a computer system detecting pipeline leaks for three oil derricks off the Southern California coast.
In an old Gartner exercise, a team was given $200 million, access to state-level intelligence, and five years to plan attacks. Even though this study is old, I like it because the scenario gives the attackers significant resources as opposed to many that simply rely on “hackers” from X or Y countries. They also divided the team into various groups focusing on different parts of critical infrastructure.
The telecommunications disruption team team suggested that requirements for a successful attack would include working knowledge of telecommunications systems, PHD level education, specific product knowledge of targets and insider assistance. They suggested that it would have large resource requirements and be fairly expensive. As can be seen in an overview by The Register, bribes and insiders play an important role:
With that said, it’s nevertheless clear that a fair amount of mischief can be brought about by a large, well-funded technical dream-team. Telecomms group member Fraley reported that it’s possible to cause SS-7 (Common Channel Signaling System #7) and PSTN (Public Switched Telephone Network) capacity to collapse for a brief period. However, it would take a very large investment in both personnel and money (bribes, presumably) to accomplish even that much. Perhaps 200 people would be needed, he reckoned. A satchel bomb thrown down a manhole in Manhattan would be far easier, far cheaper, and still fairly destructive, he remarked.
In fact there was a case just recently in which attackers “killed landlines, cell phones and Internet service for tens of thousands of people” and “froze operations in parts of the three counties at hospitals, stores, banks and police and fire departments that rely on 911 calls, computerized medical records, ATMs and credit and debit cards.” How? By cutting the fiber optic cables (which would be hard to do via the Internet in Russia or China).
Insiders are also required to exploit SCADA systems:
As for the power grid, it’s national, and controlled by large, complex SCADA (Supervisory Control and Data Acquisition) systems. Still, it’s only feasible to target a large metropolitan area, team member John Dubiel noted. Attacking the entire grid would be quite impractical. The best approach would be physical attacks on major transmission corridors, all of which are well-known, followed by the malicious use of owned control systems to to create a pattern of cascading failures throughout the target region. “At this point the system is attacking itself,” he observed. Finally, one would attack and damage the SCADA systems themselves to hamper recovery efforts.
It’s possible to launch remote attacks against some SCADA systems connected to public infrastructure, but insiders would have to be recruited to attack others, he added.
In many cases the focus on protecting critical infrastructure needs to be placed on the physical infrastructure, the “insider threat” and very often on *basic* Internet security practices. (Such as changing default passwords). When the emphasis shifts away from such threats to focus on hype and hazy allegations that may or may not be politically motivated the hype itself becomes the threat. Rather than deal with emerging security problems the emphasis is placed on building a “cyber-Maginot Line” without an accurate articulation of the nature of the threat.