Our critical infrastructure isn’t ready for cyber warfare

Most experts would argue that the United States has not yet experienced a significant cyber event against its critical infrastructure (CI), but one or many of these events are a real possibility and maybe on the horizon.

According to the director of Intelligence in a 2015 report to Congress, major nations have bolstered their cyber operations against private industry for a number of reasons. Some of these nations are specifically developing or improving remote access to the CI in the United States.

Expanding on my colleague’s earlier op-ed, even with great strides in cybersecurity bolstering efforts by the whole of government, industry and the private sector, the entire United States CI is unprepared for a major cyber-event and remains at a high risk from the exploitation and mission failures that could result, and it is time to create solutions.

Yes, the electrical grid is at risk to cyber-attack, and that is a major problem, however it is not the only problem.

{mosads}DHS defined 16 unique CI sectors, including water/dams, transportation, finance, telecommunications and energy/electrical.

Most of the CI enterprise came into operation well before the modern-day PC. Born from the proliferation of the interconnected computers and bolted on multiple access points of virtually every CI, Supervisory Control and Data Acquisition (SCADA) systems provide remote monitoring, and management control now critical to everyday operations.

When these SCADA systems were fielded, “cyber,” let alone “cybersecurity” were not even in the lexicon. Therefore, there are design flaws and security vulnerabilities exposed to malware, insider threats, hackers and terrorists, as well as nation-state actors.

There are numerous cyber intrusion examples against various CI that have played out worldwide. In 2007, Estonia was hit with a barrage of botnets, script-kiddies and sophisticated hackers all focused on connected opportunities including media outlets, communication companies and banks.

For the first time, a country was completely internet-blocked and isolated from the connected world without an adversary stepping foot on their land.

In early 2010, the second example also focused efforts toward a country, but targeted a specific capability that the country was developing. The weapon wielded was called STUXNET, a sophisticated assembly of computer code leveraging multiple zero-day exploits — vulnerabilities referring to a hole in software that is unknown to the vendor — and other vulnerabilities embedded in the target system.

Unlike the weapons thwarted against Estonia that focused on blocking various services and overwhelming computers, STUXNET was designed to inflict physical damage toward certain systems and equipment, the centrifuges of an Iranian uranium enrichment plant managed by SCADA networks.

Hitting closer to home in 2011, a small dam in the middle of New York along with some major financial institutions were subject to cyber attacks linked to the Iranian government.

The banks hit with a barrage of botnet Distributed Denial of Service (DDoS) attacks were significant enough, but the remote access gained by the intruders on an operating technology system that controlled mechanical aspects of the dam (via SCADA networks) was yet another testament that America’s CI is at risk.

The dilemma is as wide as it is deep. The majority of the nation’s CI is privately owned and operated. This leaves assessment, oversight and compliance enforcement a challenge for the federal government. Some CI sectors may be more inclined to share with DHS (and the public) their cyber shortcomings than others.

This makes management difficult for DHS, as a “code-of-silence” engulfs the entire CI industry in fear of public abandonment wherein business survivability becomes jeopardized. This is a risk that the companies must weigh and currently what DHS must accept as level of effort the CI community is willing to participate at.  

That risk correlates to an issue of accountability for the CI community to be proactive in identifying and addressing known vulnerabilities before they are exploited.

The financial burden ultimately falls with the customer and taxpayer. If cyber insurance is the answer, then that’s it, problem solved. However, insurance would probably not cover for extended periods of no service or provide alternative service.

For instance, a cyber attack, similar to that of STUXNET, targeted toward a city’s power grid generators could inflict physical destruction and break the generators. Therefore, insurance can be one aspect of a CI industry’s plan to mitigate risk, but it is not the silver bullet.

A more comprehensive solution involves investment by the federal government. Certain parts of some of the CI components, i.e., large generators or transformers for electricity production, can be extremely expensive for most companies, and they might not even be readily available in the supply chains.

So if one of these systems were targeted with a STUXNET-like attack and it caused physical destruction of major components, it could be cost-prohibitive as well as a lengthy time to receive it out of the supply chain.

Therefore, if the government could procure, stage and store these key components, it would significantly reduce the impact to the public during a cyber catastrophe.

The United States has recognized the dangers associated with this cyber dependence and has made strides in the right direction. However the fight is far from over, and it will take more than a whole of government approach. It will take a whole of nation approach.

Michael Myers is a lieutenant colonel in the U.S. Air Force and the deputy director and instructor at the Joint Command Control & Info Ops School at the Joint Forces Staff College.