The risks associated with cyberattacks on key infrastructure are increasingly appreciated, and the scale of the challenge was emphasized by the recent attack in California that saw a deliberate and long-lasting attack on the region’s utility network that saw power to around 1.5 million people cut off. It was an attack that was estimated to have cost almost $2.5 billion.
Devastating as this attack was, the implications are surely much larger if an attack targets an even more populated part of the country. The Californian example highlighted how people were able to struggle through for a short time, but outages approaching a week become a very different story. In California, evacuation was one of the remedies implemented, but on a larger scale this is likely to be impossible, if only for logistical reasons.
Utility networks have long had contingency plans for natural disasters, but even then it can take several days before normality is restored. Obviously, such examples often involve structural damage, but there is no guarantee that recovery from a cyberattack will be swift either, especially if it involves a ransomware attack.
Lack of preparation
Indeed, it’s quite possible that a full recovery from a cyberattack could take months. While in traditional cyberattacks, they can manipulate the underlying software or delete the data upon which it operates, the computer and other hardware is typically entact, so recovery is somewhat more straightforward. In cyber-physical systems, however, key equipment can be destroyed by attacks that prompt it to malfunction. Adequately repairing this hardware can take weeks or months, especially if the attack is sufficiently broad as to damage a large number of items at the same time. This is compounded by the unique nature of the hardware, with many devices developed specifically for that purpose, with replacements therefore having to be custom made.
To understand the risk of such devastating attacks on our cyber-physical infrastructure, we need to first examine the opportunity for such attacks to occur. It’s tempting to think that if a device isn’t connected to the web then it’s safe, but we’ve seen from attacks such as the Stuxnet virus that this is no guarantee.
That these attacks can be done without requiring a huge budget, and indeed many of the tools to do so can be acquired via the dark web, having previously been stolen from agencies such as the NSA, as was the case with the attack on Ukraine’s power grid recently.
Perhaps the biggest factor in the relative lack of cyber-physical attacks to date has been the lack of motivation for doing so. Most of the attacks to date have had distinctly political factors behind them, but with data showing the growing ‘market’ for ransomware, this is surely not a consolation we can continue to take?
The latest report on the state of ransomware in the US by cybersecurity firm Emsisoft put the cost per year at over $7.5 billion, with victims ranging from government agencies and hospitals all the way to schools and utilities. A big part of this is the disregard for cybersecurity in large swathes of local government, as reported recently by the State Auditor of Mississippi.
How to fend off cyberattacks
There are a number of challenges authorities must face to ensure systems remain secure, but the first is taking the problem seriously to begin with. As research from the University of Maryland highlights, “that most American local governments do a poor job practicing cybersecurity.”
We also tend to use past incidences to guide future actions, or as the military saying goes, we’re often stuck fighting the last war. This is fine if attacks are relatively static in their meter and rhyme, but the reality is this is a rapidly changing landscape that requires a flexible and adaptive approach to cybersecurity. It requires a shift from thinking about what has happened to thinking about what could happen.
It might also pay to focus less on stopping cyber attacks from happening in the first place as it is to focus on mitigating their impact. The ultimate aim is to limit damage, not limit attacks in the first place. Often relatively inexpensive hardware adaptations can significantly limit the damage caused by any cyber attacks, but these modifications get overlooked as we don’t look in the right places for solutions.
It’s also vital that we look at the system as a whole, as there are often numerous interdependencies that can cause a hugely damaging chain reaction. This systemic assessment can also highlight any potential weak spots in the network that provide an easy way in for attackers.
The implications of losing utilities for any length of time often extend far beyond the financial, so it’s high time that organizations, and indeed authorities, get better at ensuring they are safe from attack. Network damage from natural disasters is a very visceral event that encourages a prompt response. Now is the time for us to take cybersecurity just as seriously.