Hacking Threat Posed to Critical Infrastructure Is Limited, for Now


A Monday morning power outage in Atlanta caused Delta Air Lines Inc.’s computer systems to crash and disrupted operations worldwide. It also led the company to cancel 1,000 flights on Monday and another 530 flights as of 8:30 a.m. EDT Tuesday.

It’s the latest reminder that in the modern economy there can be a lot of chaos when computer systems fail. While Delta’s problems resulted from a power failure, critical computer infrastructure remains a significant target for hackers. These industrial control systems power the electric grid, oil pipeline flow and urban rail transit.

“Last year alone, there were more attacks industrial control systems and critical infrastructure than ever before in history,” said Brad Medairy, a senior vice president at Booz Allen Hamilton Inc. who has been tracking cyberattacks on critical infrastructure.

In a June threat intelligence briefing, Booz Allen found that 34 percent of 314 organizations surveyed worldwide had their operating industrial control systems breached more than twice in the previous 12 months. Forty-four percent of respondents weren’t able to identify the source of the attack.

The report predicted that cyber activity from nation states and cybercriminals is likely to continue to “drive increased risk” for operators of industrial control systems in 2016 and 2017. In addition, there is likely to be an expanded emphasis on new targets like light rail operators.

“We’re seeing adversaries using an ever increasing sophisticated set of attack techniques on infrastructure,” Medairy told Morning Consult in an interview. These methods include phishing attacks and finding and exploiting vulnerabilities in a system’s cyber defenses.

Cyber criminals can also breach control systems by selling pieces of computers tainted with malware that infects a system once that piece is plugged into the bigger system.

“Small outages occur sometimes, even at important facilities such as the U.S. Capitol building,” Sean McBride, critical infrastructure lead analyst at the cybersecurity firm FireEye, wrote in an email to Morning Consult. “The right commands from the right computer can turn the power off almost anywhere in the U.S. (single building accuracy not implied). What we are worried about is whether adversaries have the requisite knowledge to cause a premeditated and prolonged physical effect.”

At the moment, experts say they don’t think the hackers who have the ability to knock out critical infrastructure are willing to actually do it.

“You see nation state actors with sophisticated capabilities to attack critical infrastructure, but in general they don’t have the intent,” Medairy said. “We’re likely not going to see China or Russia actively trying to bring down the power grid in the United States because there would be severe repercussions, they don’t have the intent to do so.”

“We generally agree that threat actors with the capability to cause specific premeditated effects via cyberattack do not yet have the intent,” McBride agreed.

But Medairy said there’s still concern for a second group of people — those with the intent to take down major infrastructure who haven’t yet harnessed the capability.

“You will see terrorist organizations starting to grow new capabilities that do have the intent,” Medairy said. “I think that we’re in a transition period where we’re going to see attackers moving beyond traditional enterprise attacks into non-traditional operational technologies like industrial control systems, the power grid, and other things.”

Booz Allen’s report warned that the “barrier to entry” for hackers is getting lower. “Publicly available attack resources emerged that may lower technical barriers for limited-skill threat actors,” the report said.

A white paper from Symantec said industrial control systems are a “prime target” for hackers because they are increasingly internet enabled.

Part of the problem, according to Medairy, is that some companies only do the bare minimum of what’s required of them, leaving susceptibilities. “I still think that our clients in many cases are taking a very compliant and regulatory approach, and we all know that just because you’re compliant doesn’t mean you’re secure,” he said. “I think that’s going to have to evolve.”

Most cybersecurity experts agree that former Defense Secretary Leon Panetta’s 2012 warning of a “cyber Pearl Harbor” that would down the U.S. power grid, transportation systems and government entities is unlikely.

Cyber vulnerability isn’t a major topic of debate in this year’s presidential campaign, but it is on some officials’ minds because the issue found its way into the national policy platforms of both political parties. The Republicans, in particular, pointed to the dangers of cyber vulnerability.

The GOP’s 2016 platform calls to shore up America’s electric grid, saying it’s is “aging, vulnerable to cyber and terrorist threats, and unprepared to serve our energy needs of tomorrow.”

“We should seek to weaken control over the internet by regimes that engage in cyber crimes,” the platform says. “We must stop playing defense and go on offense to avoid the cyber-equivalent of Pearl Harbor,” it adds, in reference to Panetta’s caution.

The Democratic Party’s platform doesn’t go as far in addressing the threats to the electric grid, instead promising to “modernize” the grid. “Democrats will protect our industry, infrastructure, and government from cyberattacks,” the platform says.

Morning Consult