Targeted control system cyber attacks - not when, but how much damage

There have been many stories about cyber vulnerabilities of critical infrastructure with the tagline – not if, but when. However, there already have been many targeted cyber attacks against critical infrastructures from attackers ranging from disgruntled individuals to nation-states. Targeted control system cyber attacks (this does not include general viruses and worms that were not targeting control systems) are loss of view and/or loss of control and have affected electric power transmission and distribution systems, fossil power plants, nuclear power plants, hydro facilities, wind and water turbines, water/wastewater systems, vehicles, trains, transportation systems, fuel facilities, manufacturing, medical facilities, chemical plants, oil facilities including off-shore oil platforms, food/beverage, paper/pulp, and others.

Targeted control system cyber attacks have been identified in Australia, Brazil, Canada, China, France, Germany, Iran, Israel, Lithuania, Netherlands, Poland, Qatar, Russia, Saudi Arabia, South Korea, UK, Ukraine, and Venezuela. Examples of targeted ICS cyber attacks internationally include destruction of centrifuges, damage to blast furnace, loss of fuel loading, tilting of an off-shore oil rig, and significant environmental discharges. However, there have been almost no US government or NERC public identification of control system cyber attacks in the US despite the fact that targeted control system cyber attacks have occurred in US critical infrastructures with attendant damage. Examples of targeted ICS cyber attacks in the US include loss of electric and water SCADA, damage to manufacturing lines, shutdown of HVAC systems, and damage to facility equipment including critical motors.

 As identified in the Defense Science Board Task Force on Cyber Deterrence issued February 2017, critical infrastructures are vulnerable to cyber attacks. Consequently, there is a need to actively pursue a series of mitigations that include removing critical control systems from the Internet (see DHS ICS Monitor May/June 2015 recommendations), ensuring that updates are performed in a secure and documented manner, and minimizing insider threats by making the systems unavailable to all but trusted users. Additionally, there is a need to focus on resilience and recovery as malware is already in many control system networks.

Joe Weiss