Yes! Electric Grid & Critical Infrastructure ICS Are At Risk From Cyber Attack
It’s Not Easy, But Don’t Dismiss The Possibility
Cyber 911, Digital Pearl Harbor and other vivid descriptors of an ICS cyber attack that does significant damage to a region, economy, environment or human life have been common in recent years. And there has been a lot of hype and misinformation on how easy and likely this type of attack is. A hacker who is able to pwn, take control, of one or more key computers in an ICS would be very unlikely to have the engineering and automation skills to do costly physical damage that is difficult to recover from.
However it seems the ICS security community has overcompensated for this hype by now stating this will not and can not happen. The most recent and vivid example is from the very smart Robert Lee in a CSM Passcode podcast. Two Robert Lee quotes from the article accompanying the podcast:
“The idea that we’re going to randomly see a crippling attack on the power grid for no reason whatsoever is absurd,” …
Terror groups such as the Islamic State do not “have the capability to develop long-term operations to get into the power grid and develop specific engineering knowledge capable of causing physical destruction to infrastructure or causing long disruptions [in service]. It’s just not possible,” Lee says.
The first quote goes to motivation. Of course doing damage to the power grid or other critical infrastructure would unlikely to be done casually or for fun given the likely impact and the consequences to an attacker if caught. That said, it is naive to believe at this time there are not numerous groups that would have a “reason” to cause the impact to whatever country you live in.
The second quote and theme in the podcast is more troubling and gaining traction in the ICS security community. Causing a physical impact can be hard and requires engineering and automation skills, but believing these cannot be obtained for a relatively small amount of money is also naive. It may not even require money. I would not bet against one very smart engineer teamed with a moderately skilled automation professional and hacker, and the willingness to do extreme things and live with the consequences, fr0m causing physical destruction to infrastructure or causing long disruptions.
Rob does hedge more in the context of the podcast, but he stands by those pull quotes. In the electric sector there are at least three public examples and many more examples not discussed outside of closed doors:
- Key Substation Attacks: FERC said 9 substations on the right day could cause a large scale blackout. Isight Partners confirmed this with an independent analysis that took less than a week.
- GE Atlanta Data Highway for Onsite Monitoring: take out more than 1800 turbines in 60 countries if you can get into that control room. Vendors increasingly are getting centralized remote access to large numbers of critical assets. These become high value targets.
- Project Stack Vulnerabilities: Crain and Sistrunk showed how access to a substation could be used to attack the transmission or distribution control room due to DNP3 stack vulnerabilities. The ICCP stack is also highly interesting given it is used for communication between utilities.
One thing I have consistently seen and been impressed by in 15 years working on ICS is the control engineer’s ability to identify the weak spot. It typically comes up after you have built rapport and trust with the engineer beginning a conversation with, “you know if I really want to cause a big problem I would …” Believing none of your adversaries have this capability seems unwise.
Not all attacks attempting physical damage requires genius engineering. Reid Wightman of Digital Bond Labs showed at S4x16 how simple it is to damage electric motors by running them at the skip frequency, which by the way is documented. About 15% of the deployed motors have vibration monitoring and setpoints to trip the motor to prevent this damage, but altering the setpoint on vibration monitoring is also an easy, low engineering knowledge hack that also applies to turbines.
While Rob and the CSM podcast focused on the electric sector, other critical infrastructure ICS could have similar massive impacts. The move to and reliance on just in time delivery of resources means we run out of some key items in a matter of days. There are also some regions reliant on one or two ICS to deliver necessary resources. I don’t want to go into too much detail on this, but the answers we receive when we ask what if this or that part of a single ICS is unavailable can be alarming.
The incidents are actually High Impact Low Frequency (HILF) event. The Low Frequency, in my opinion, is based more on the consequences to the potential attack team and the limited number of people who want to cause that level of damage.
For a long time there was a belief that causing a “Digital Pearl Harbor” was easy. It is not. However the pendulum seems to have swung too far the other direction with the believe that an adversary with a small, but skilled team could not cause an event like this. They can.