Cybersecurity has long been a concern in military settings. This is not uncommon, since the destructive power of provoking failures in enemy infrastructures was demonstrated by cyber attacks—famous examples in Iran with Stuxnet and the attack on the electricity distribution network in Ukraine in January 2016—military forces consider strategic targets all those susceptible to cyberattack.
Anyone who has watched “American Blackout” can realize the destructive capacity of an event that depletes the electricity grid of a large geographic area, such as a country. The problems are not reduced to those caused by a failure of a few minutes in the power supply, which is what we are used to. A failure of several days in the electricity supply can give rise in the short term to small incidents that are aggravated as time passes until it ends up in shortages of vital elements such as water or food, looting, and disturbances from limited access to fundamental services.
The disorder that causes a great blackout has been portrayed in this documentary by National Geographic. Many of the situations shown are short and lacking complexity; the reality would probably be much harder than the scenario drawn. Not surprisingly, the video begins with a quote from Dr. Richard Andres of the US National War College where he states: “A massive and well-coordinated cyberattack in the power grid could devastate the economy and cause great loss of human lives.”
As we can see, both the possibility and the consequences of a failure in the electrical networks are in the minds of military and film producers. Are we witnessing a renaissance of catastrophic movies? Will this end in a zombie apocalypse? It is advisable to remain calm, because on the side of the technology that is applied in the electrical networks there is also concern, and the main promoters of technological initiatives have taken up the matter, not because of the possibilities of a cyber attack, but because of the succession of failures in some of the networks during the first decade of the century. Thus, the publication of documents (examples one, two and three) on the protection in the electrical networks and the application of technologies that isolate the failures are the answer to this alarm.
But despite the efforts that can be made by technology vendors and manufacturers, there are always those who seek to distort cyber attacks. Richard A. Clarke in his book “Cyber War” gives a very precise and realistic description of the military objectives of cyber war as well as of different capabilities of international groups related to states and nations and subsidized by them. The military objectives of cyber war are infrastructures and the electricity grid is an obvious target.
The risk in cybersecurity is calculated through the binomial threat x vulnerability and it seems clear that the threat on the electricity networks exist. What can we say about vulnerabilities? Exist? Are they huge? Unfortunately, the answer is yes in both cases. The control systems of electrical grids are based on industrial control systems whose security is understood as “availability” at the cost of losing robustness in means to control the indiscriminate access. Many of them are very old and changing or replacing them can mean enabling service windows that cause disturbances as important as those that would cause an intentional attack. So this way we are not protected from the “bad guys” and protection is not an easy task.
But who are the bad guys? Who would want to make an attack on the electricity distribution network of a country? At present there are geopolitical movements that struggle to gain power, relevance, social adhesion, and even provoke or defeat a possible contender before beginning any conventional contest. A successful cyberattack can be decisive in a victory, even before starting any war. The same can be said about social and religious movements, etc. Therefore, the list of possible enemies is great and the motivations, various.
The good news is that mitigating risk factors are based on the ability to defend against the threat, ability to identify vulnerable elements, protect them, detect possible attacks, generate a response to contain or repel attacks, and finally, to recover the situation with the level of service prior to the attack. These are capabilities captured in the NIST’s cybersecurity framework for critical infrastructures and the levers to achieve a low level of risk. The capacity is placed in the denominator of the operation and allow us, as we increase these capacities, to reduce the risk.
Even so, there are risks that are very difficult to mitigate. Tactics for introducing malware into a critical infrastructure have two fundamental components: the human exploitable factor through social engineering techniques and the low ability to control access in industrial control systems. To strengthen the human barrier, there are tools to raise awareness among people involved in the life cycle of critical infrastructures and to train them through simulation games. In order to strengthen the access control barrier, there are compensatory measures capable of mitigating the risk, such as perimeter security elements for industrial control systems.
From my point of view, infrastructures such as electricity distribution networks are particularly vulnerable and are a clear target for cyberattacks, and risk mitigation capabilities are being developed thanks to the knowledge provided by vulnerability and threat intelligence, although there is still one long way to go before proclaiming that “American Blackout” is just a fictional story
Juan Carlos Pascual is a senior security consultant at Capgemini. Read more Capgemini blogs here.