Share this article on:
Throughout history, warfare has always included the targeting of critical infrastructure.
Of course, the definition of critical infrastructure has evolved from medieval times, when in 1418, an attacking army catapulted diseased livestock over the walls to poison water supplies during the Siege of Rouen, Normandy. Today, it is entwined in every aspect of our modern economy, and our everyday lives.
The recent spate of cyber attack strategies used on government organisations and businesses across the globe are essentially designed to do the very same thing – to sabotage and disrupt. However, instead of seeing (and sniffing) the very obvious tactics of dead cattle, nation-states – such as Ukraine – are now subject to an invisible onslaught with very visible outcomes.
We are living in a modern world where warfare crosses the physical and digital domains with ease, increasingly in a highly coordinated manner. Chief among its targets now, and in the coming years, is critical infrastructure. In protecting these assets, it is essential to understand past patterns of cyber attacks to both defend against and prevent them.
How testing, refining, and maturing cyber weapons have evolved
In 2007, members from several US government agencies gathered at an electrical grid test facility in a remote part of Idaho to watch a test on a massive diesel generator. The generator, weighing 27 tonnes and producing enough electricity to power an entire hospital, was fully operational and roaring away. In the test, 140 kilobytes of data – just thirty lines of malicious code – were injected not into the generator itself but into a small attached protective relay.
This relay was designed to detect anomalies in the power grid, and open circuit breakers to protect equipment and, in extreme cases, prevent electrical fires. The malicious code was designed to disable this tiny component.
It worked perfectly.
Twenty-three seconds after the code was injected, the generator started to shudder and vibrate, parts flying everywhere. A few more cycles and black smoke poured from its exhaust. The unit was completely destroyed by thirty lines of simple code in less than two minutes.
In 2015, Starlight Media, Ukraine’s largest media broadcaster, was preparing for its morning news broadcast when several servers were simultaneously taken offline. An investigation identified a specific type of customised malware, later called BlackEnergy. Luckily, the machines were quarantined before the malware could infect the rest of the network.
While the attack was mitigated and remediated quickly, the significance of this newly discovered malware took longer to appreciate. It was a primitive prototype – a test, if you will – of what was to come, as the sophistication of critical infrastructure attacks accelerated.
On Christmas Eve that same year, three separate Ukrainian power operators hundreds of miles apart in the west of the country had electrical substations taken offline simultaneously, impacting up to 200,000 households. This was a phishing attack that launched a very specific malware Ukraine had seen before – BlackEnergy.
It was the first reported time this malware had been used to attack, and successfully disable, a power grid.
On 17 December 2016, the winter weather meant energy consumption in Ukraine was at its peak. This time, the cyber attack moved up the circulatory system of the electrical grid, from remote substations to an entire transmission station of 200 kilowatts. The blackout lasted little more than an hour as engineers restored operations. But in the ensuing investigation, it was publicly confirmed this was a cyber attack. The weapon? BlackEnergy.
BlackEnergy was quarantined and investigated, where it was ultimately discovered to be a set of command tools that could speak directly to industrial control elements within the power grid and control them directly at a speed and scale never seen before. It was a highly adaptable, remotely controlled, yet very specific malware, with the power to physically destroy a power grid.
In a single decade, early cases of unsophisticated, easily traceable attacks progressed to more refined, specific malware tools tested in enterprise infrastructure. They were further refined again, to be deployed in critical infrastructure, then paired with highly sophisticated, specific control system malware.
Sharing intelligence on threats is critical to cyber warfare
As geopolitical tensions rise and cyber attacks occur with increasing frequency, pockets of fragility in both the public and private sectors are becoming more apparent. In Australia, the Security of Critical Infrastructure Act 2018 was legislated to provide greater reach to the government over critical infrastructure operated by private entities.
However, organisations are still grappling to build resilience in a cyber landscape characterised by perpetual conflict and countless strike opportunities with almost no proportionate restrictions.
The digitisation of modern warfare is driving a critical need to match the velocity with which cyber criminals are attacking with equally strong tools and skills. In building this capability, it’s essential to understand the psychology and the motivations of cyber attackers to help defenders understand patterns of disruption as a means of prevention.
Tools like the Vocabulary for Event Recording and Incident Sharing (VERIS) help mitigate one of the most critical and persistent challenges in the security industry – a lack of quality information in a common language.
If we can understand what cyber criminals intend to do, and how they intend to do it, we are in a better position to protect critical infrastructure proactively and act before it’s too late.
The storm isn’t coming – it’s here.
Robert Le Busque is the regional vice-president, Asia-Pacific region, at Verizon Business Group.