Remember Stuxnet ?

Remember Stuxnet? It sounded like a one-off, back in 2010 when it was revealed to have damaged centrifuges in Iran, a computer virus or “worm” apparently developed by the US and Israel. An oddity that only the most sophisticated intelligence agencies could have come up with.

Think again.

Two straights days now, cyberattacks on infrastructure have been in the headlines. On March 15, the US Department of Homeland Security (DHS) reported that Russia had penetrated control systems at a number of power plants, along with water and electric systems. The objective, assumed by DHS, was to be able to shut off critical infrastructure systems at long distance in a situation of conflict. Implicitly, also to be able to threaten, and possibly act, in situations short of overt conflict. “Scores” of infrastructure assets and companies were reported to have been accessed. Homeland Security issued an updated warning – yesterday — to utilities that access to critical controls had been breached widely across the country. The security technology director at Symantec said “We now have evidence they’re sitting on the machines, connected to industrial control infrastructure, that allow them to effectively turn the power off or effect sabotage. From what we can see, they were there. They have the ability to shut the power off. All that’s missing is some political motivation.” Leaving aside the politics, a detail in the report gives some pause – the group accused in these infrastructure attacks seems to be different from two other Russian groups previously accused of cyberattacks. Or the North Korean group accused of attacking the UK’s health infrastructure in 2017. With the important implication being that now multiple groups have acquired the ability to conduct cyberattacks across borders. Or put in business terms, the barriers to entry into the “business” (of cyberattacks) are eroding.

On March 14, a different but equally ominous headline appeared. This one about yet-to-be-identified hackers attacking a facility of Sadara Petrochemical in Saudi Arabia. Apparently, as reports noted, it was the latest in what has been a string of cyberattacks against Saudi petrochemical plants. What made this latest attack different, and more alarming, was the apparent objective. Most reported attacks, like that of Stuxnet, disable. They shut down systems, so that computers cease working. Or, as in the case of Ukraine in 2015, so that a power grid ceases to work, and lights go off. The attack on Sadara was of a completely different order: it was clearly intended to trigger an explosion of the petrochemical facility. The computer code inserted maliciously into Sadara’s systems had an error which prevented it from actually causing the explosion, though it seems the attackers sent instructions to trigger it. An error which, presumably, like most coding errors, could be easily fixable now that it was known. The New York Times called it “a dangerous escalation in international hacking,” and cited concern that “culprits could replicate it in other countries, since thousands of industrial plants all over the world rely on the same American-engineered computer systems that were compromised.”

This is very bad news. Bad news for infrastructure, among others. It means that essentially any infrastructure system, in any country, can be attacked. All it takes is motivation, and a high level of technological sophistication. A high level which, unfortunately, is becoming accessible to more and more groups. Cyberdefenses, such as they are, are way behind. The threat of attack can come cross-border, or it can come potentially from disgruntled domestic groups. It unfortunately does not take a lot of imagination to see such attacks, say, spreading across the Middle East, or showing up in some future period of tension between India and Pakistan, or being adopted by narco-traffickers. It means catastrophic risks to critical infrastructure will rise, and come from a new source, other than once-in-hundred-years storms.
Better check those insurance policies.