This is the first of two Infrastructure Ideas columns about the effect of viruses on infrastructure. Today we cover an “old” virus (which would still have been seen as a kind of “new” virus until a month ago when COVID-19 came along): the cyber kind. The headline for this “old” virus? Same as the headline for the “new” virus. Watch out! Risks are growing, and systems risk getting overloaded – especially in lower-income countries. Our next column will turn to COVID-19 and some of its potential impacts.
Not so long ago, stories about cyberwar started with scary hypotheticals: What if state-sponsored hackers were to launch widespread attacks that blacked out entire cities? Crippled banks and froze ATMs across a country? Shut down shipping firms, oil refineries, and factories? Paralyzed airports and hospitals? Today, these scenarios are no longer hypotheticals: Every one of those events has now actually occurred. Incident by catastrophic incident, cyberwar has left the pages of overblown science fiction and the tabletops of Pentagon war games to become a reality.
The above excerpt comes from the 2019 “Wired Guide to Cyberwar,” written by Andy Greenberg, arguably the top authority among figures publicly writing on infrastructure cyber-risks. The story he tells begins with the attacks which first woke the infrastructure world to cyber-risks, the Fall 2015 disruptions of Ukraine’s national railway and Kiev airport which accompanied Russia’s annexation of Crimea, followed by the attacks on three Ukrainian regional energy utilities. This heralded a still-ongoing chain of cyberattacks. In 2016 the Ukrainian railway company lost its online booking system for days, and a power transmission station in Kiev was hit. This February, the US State Department issued a statement placing the blame for a series of October 2019 cyberattacks which disrupted television and internet services in Georgia on Russian military intelligence (Wired: the US Blames Russia’s GRU for Sweeping Cyberattacks in Georgia). The GRU center for Special Technology was also indicated as linked to the now-notorious “Sandworm” hacker group, responsible for the NotPetya worm which infected many infrastructure providers (most famously Maersk), as well as the malware which attacked the 2018 Winter Olympics.
For many infrastructure companies, these “Russian neighborhood” attacks have been discomforting while still seeming somehow fairly remote. But as several recent incidents have shown, cyber-risks for infrastructure companies across the world are becoming much less remote, and far more concerning. Three incidents in particular draw a worrisome picture:
1. In October 2019, reports indicated that malware had been found in a nuclear plant in India, the Tamil Nadu Kudankulam plant. This plant was not an old plant with outdated systems (as many nuclear plants around the world are today), but India’s newest and most sophisticated nuclear plant. This incident was worrisome not only because it indicated potential vulnerability of a nuclear plant, but because the malware seems to have originated from a group of hackers who previously (a) had shown no interest in infrastructure, and (b) had shown little concern about damage they might create. This group, known as the “Lazarus Group,” is widely assumed to be controlled by North Korea. Among other things, it attacked Sony Pictures several years ago, stole some $80 million from Bangladesh’s Central Bank, and mounted the 2017 Wannacry ransomware attack. That such a group was apparently able to infiltrate not just any infrastructure facility, but a nuclear plant, is a major concern along many lines. The potential for either (1) the group itself seeking to extract large-scale “protection money” from targeted infrastructure facilities around the world, or (2) North Korea selling this ability to state or non-state actors in conflict zones, should be of major concern to infrastructure companies, and to governments.
The Kundankulam Nuclear Plant
2. In October 2018, the Onslow Water and Sewer Authority became the second North Carolina utility hit by a cyberattack within a year. The utility chose not to pay ransom, and had to rebuild its entire information technology system. These two attacks in one US state demonstrated that as water infrastructure around the world modernizes, and becomes more connected in several ways to the internet, it has become more of a potential target for hackers. The New York Times reported that Syrian-linked hackers managed in 2016 to alter the amount of chemicals that went into a US water supply system, although no one was harmed. As the Times noted, damaging societies by attacking water supplies has a long history, but only now can it be done simply with keystrokes.
3. Last month, reports surfaced about a newly discovered piece of computer code named “EKANS.” This code appears to be targeted specifically at industrial control systems – something rarely seen before (only in the Stuxnet attack on Iranian nuclear centrifuges, and in the attack on the Ukrainian electric sector). Industrial control systems, well, control industries. Such systems operate both hardware and software in pretty much everything, including energy and infrastructure. EKANS seems to operate like other ransomware, freezing systems and access and locking-out administrators. Cybersecurity firms are particularly concerned that this malware seems not to originate from nation-state hackers, but from criminal networks. As one researcher commented, “it implies an increasing willingness and ability of non-state actors to significantly impact or impair critical infrastructure entities.” Earlier attacks sponsored by states already caused new concerns for infrastructure companies operating in countries located in geographies with conflict – Georgia and Ukraine are already examples, and it doesn’t take much imagination to be concerned about any infrastructure in the Middle East. Now if non-state actors can impact critical infrastructure systems, then infrastructure in any geography is at risk.
What to do? There are no sure-fire fixes. Hackers and cyber-security firms are in the classic arms race, with security firms striving to fix each new demonstrated vulnerability, and ideally minimize them before they are used, while hackers keep looking for new opportunities. Security though is a clear must. One of the surest ways for an infrastructure company to suffer the costs of a major cyberattack is to be completely unprepared. What the above should illustrate is the value of having a good security partner, to keep the risk as low as possible. Overdoing security can also have its costs – a number of infrastructure companies are reporting problems with the high volume of critical staff working for home during the current COVID-19 pandemic, as defenses aimed to keep hackers out of critical systems can make it difficult for large numbers of legitimate staff to do their work remotely. Where it can be done, build redundancy and back-up in case main systems become inoperative. And as the case of Maersk showed, even having one back-up computer which is not linked to the internet can come in very handy.
Infrastructure Ideas comments frequently about the impact of technology on infrastructure. As many columns have described, technology has made many infrastructure services cheaper and more accessible than ever before, and enabled unprecedently rapid progress in many areas. Yet as cyber vulnerability indicates, technology itself is neither good nor bad. What is for sure is that the impact of technology change is enormous.
Next Up: The Coronavirus and Infrastructure – Five Predictions