In late December, the German government issued a report about a cyber attack on a steel mill that resulted in significant damage to that facility. The attack has received extensive publicity since then, from the BBC to YouTube, including a detailed analysis of the attack by SANS. Many of these reports, call such as the one by Wired, call this the “second confirmed case in which a wholly digital attack caused physical destruction of equipment”, the first being Stuxnet.
(Image from report on German steel mill cyberattack posted on Youtube)
The visibility into the risk of cyber attacks that this incident provides is valuable, a warning that targeted attacks against Internet of Things (IoT) in general and critical infrastructure in particular need to be taken seriously. But the disproportionate attention to this attack, perhaps because of the dramatic value of a blast furnace explosion, also has the risk of distracting us from the implications of other actual and potential attacks that have occurred recently. I touched on a number of these attacks in my August 2014 blog on “(In)Security of the IoT”, my June 2014 blog on “The Dragonfly Attack”, and in my February 2014 blog on “Rogue Refrigerators”.
The BlackEnergy attacks, for example, reported on by ICS-CERT in October 2014 and again in December 2014, received less attention in the press but represented a much more fundamental attack on critical infrastructure. The attack focused on infecting Human Machine Interface components from a number of vendors. Like the attack on US natural gas infrastructure reported by US-Cert in 2013, BlackEnergy represents a broad initiative against industrial capabilities, much more serious than the single attack on a steel mill. The ICS-CERT report on equipment failure at an Illinois water plant also showed the importance of equipment failures and insider error (and insider attacks) when considering the security of critical infrastructure.
Much of the response both to the steel mill attack and to BlackEnergy focused on the risks related to connecting critical infrastructure to the Internet. But as the range of attacks against critical infrastructure has indicated, attacks can leverage many other equally powerful approaches, such as infecting supplier components, direct attacks by insiders and, like Stuxnet, transfer of malware by operators and administrators. Our strategies for defending against cyber attacks have to take into account all of these risks, not just those related to connecting critical infrastructure to the Internet. That strategy has to start from an assumption that compromise-caused failures will occur, just like the series of faults that resulted in the explosion of the Miami electric power substation in 1993.
(Image from report on substation explosion posted on Youtube)
We certainly need to put in place as effective defensive mechanisms as possible. But we also need to embrace a strategy of visibility, analysis and action that will enable us to respond to all the compromises of critical infrastructure – whether inadvertent or intentional – that will inevitably occur. To this end, the SPARKS project is developing an innovative analytics system that makes use of big data to identify the abnormal operational behaviour of a smart grid. Such a system could provide early visibility of the potential impact of an attack when defensive mechanisms have proven inadequate. Furthermore, we are investigating approaches to ensure the resilience of the control systems that underpin critical infrastructures – the aim is that control systems can be resilient to cyber attacks and faults, reducing the likelihood of the explosive effects that were seen in Miami and Germany.