Bulletin of http://bos.sagepub.

com/ the Atomic Scientists

Eyes wide shut: The growing threat of cyber attacks on industrial control systems
Joel F. Brenner Bulletin of the Atomic Scientists 2013 69: 15 DOI: 10.1177/0096340213501372 The online version of this article can be found at: http://bos.sagepub.com/content/69/5/15

Published by:
http://www.sagepublications.com

On behalf of:
Bulletin of the Atomic Scientists

Additional services and information for Bulletin of the Atomic Scientists can be found at: Email Alerts: http://bos.sagepub.com/cgi/alerts Subscriptions: http://bos.sagepub.com/subscriptions Reprints: http://www.sagepub.com/journalsReprints.nav Permissions: http://www.sagepub.com/journalsPermissions.nav

>> Version of Record - Sep 2, 2013 What is This?

Downloaded from bos.sagepub.com by David Vincenzetti on September 14, 2013

Bulletin of the Atomic Scientists

Feature

IT IS 5 MINUTES TO MIDNIGHT

Eyes wide shut: The growing threat of cyber attacks on industrial control systems
Joel F. Brenner

Bulletin of the Atomic Scientists 69(5) 1520 ! The Author(s) 2013 Reprints and permissions: sagepub.co.uk/journalsPermissions.nav DOI: 10.1177/0096340213501372 http://thebulletin.sagepub.com

Abstract
When industrial control systems are connected to the Internet, they can be vulnerable to cyber attacks. At risk are energy sources and electric grids, water and sewer systems, manufacturing, banks, transportation and communication networks, and other systems that may be targeted by hackers, terrorists, or enemy states seeking to wreak economic havoc. Despite a series of well-publicized cyber attacks in recent years, few companies have taken the steps necessary to isolate industrial control systems and sensitive information, and to limit the damage an attack can inflict. Security is not just a matter of dealing with technical issues, which are fairly straightforward and tactical. The strategic issue is governance: coordinating the efforts of various departments to ensure that information technology works together with physical security, legal counsel, human resources, and operations management.

Keywords
cyber attack, cyber security, denial of service, industrial control systems, Maroochy Shire, RasGas, Saudi Aramco, Stuxnet

hirteen years ago, a disgruntled sewer system operator in Maroochy Shire, Australia, filled his car with a laptop and radio equipment apparently stolen from his employer and drove around giving radio commands to the pumps and valves that controlled the local sewers. Pumping stations went haywire. Raw sewage poured into local waterways. Creek water turned black, fish died, and the stench was appalling (Brenner, 2011). This was an early warning of the danger inherent in connecting industrial control systems to the Internet,

but Maroochy Shire was far away, and very few people were paying attention. Nasty things that start on the other side of the world have a way of ending up on ones own doorstep, however, and the vulnerability to electronic mayhem of control systems that run railway switches, air traffic control systems, manufacturing, financial systems, and electric grids is now an endemic condition. In Brazil, a cyber attack in 2007 plunged more than three million people into total darkness and knocked the worlds largest iron ore producer offline, costing that one

Downloaded from bos.sagepub.com by David Vincenzetti on September 14, 2013

16

Bulletin of the Atomic Scientists 69(5)

company alone about $7 million (CBS News, 2009).1 The worlds superpower is not invincible either. Today the North American electric grid is being attacked ferociously and oftensometimes by intruders so skillful that government help is needed to fend them off. Municipal water and sewer systems are also vulnerable. Even the US military recently warned that it cant guarantee its own operations under a sophisticated cyber attack, and that US allies are in the same position.2 And as Edward Snowden has demonstrated, a lone subcontractor can gain access to highly classified intelligence, which in turn could confirm that the United States has penetrated networks in other countries. Although military and intelligence vulnerabilities are of obvious concern, frequent and intense cyber attacks are aimed at businesses. Attacks can originate with foreign rivals seeking proprietary information, hackers exacting revenge or looking for lucrative loopholes, or even terrorists hoping to wreak economic havoc. Few companies are willing to isolate industrial control systems from the Internet. Securing information is not just a matter of technical knowhow, but also of coordinating the efforts of various departments to ensure that information technology works hand in hand with physical security, legal counsel, and human resources.

Connecting everything
The roots of the Internet go back to the 1960s. It was created to enable collaboration among a small, trusted group of scientists in government and at a few geographically dispersed universities. But as its inventors ruefully admit, they

built it with no security layer. They saw no need for it. In fact, until 1992, it was against the law in the United States to use the Internet for commercial purposes, and almost no one outside the United States was using it at all. When the US Congress removed that prohibition, it unleashed a productivity surge and a behavioral revolution that brought wealth and pleasure to hundreds of millions of people. Unnoticed by almost everyone, however, it also created extraordinary vulnerabilities. The United States, and the rest of the world after it, took this porous communications network and turned it into the backbone of national and international financial institutions, personal finance, controls on critical infrastructure, virtually all communications including military command and control, and much else besides. Everything companies do runs on the Internet or is exposed to it. Governments run on it. Air traffic control and rail switches run on it. The heating and ventilation in workplaces run on it. Yet because the Internet was engineered with no security layer, its basically a masquerade ball. It is impossible to be certain of the identity of individuals communicating via the Internet, and it is beyond the capability of most people to discern whether a message that looks like mere content is in fact an executable instruction to perform malicious operations. The distinction between content and action has dissolved: Electrons do things, they dont merely represent information. Most industrial control systems still in use today have a life span of 10 to 20 years, sometimes longer, and were designed at least a generation ago, before ubiquitous connectivity became a fact of life. They were not networked and they were meant to be physically isolated, so these

Downloaded from bos.sagepub.com by David Vincenzetti on September 14, 2013

Brenner

17

systems had no built-in electronic security features. The efficiencies gained by connecting devices to the Internet became quickly apparent, however. Once networked, they could be managed from afar, and dispersed systems could be managed together. They could also be penetrated. Since about the year 2000, the public has become painfully aware that personal information, company secrets, and even government secrets can be stolen electronically with ease. An intruder who can penetrate an electronic system to steal information from it can also corrupt the information on that system, make it go haywire, or shut it down entirely. Thats what happened in Maroochy Shire. It also happened in Venezuela during the winter of 2002 to 2003, when strikers targeted systems that controlled the loading of tankers, disrupting harbor operations (Siemens Totally Integrated Automation, 2010). As this attack demonstrated, information security and operational security have converged, and both have become radically more fragile as a result.

Wake-up calls
Cyber network attackers know how to physically destroy equipment with nothing more than a keyboard and mouse. In 2007, in an experiment run by the Idaho National Laboratory, researchers blew up a diesel-electric generator by taking over its controls remotely, opening and closing breakers, and inducing rapid changes in the electricity cycles that powered the machine. Such attacks would be difficult to carry out, but they can be done. With an insiders help, they may not be difficult at all. The Idaho experiment was a wake-up call for owners and operators on the

electric grid, but many of them hit the snooze button and went back to sleep. Large parts of the grid remain vulnerable to this kind of attack today because some managers just dont want to hear the message (Brenner, 2011). The alarms bells got much louder in 2010 in an operation known as Stuxnet, named after malware that was surreptitiously inserted into the Siemens control systems running the centrifuges in Irans uranium enrichment program. About 1,000 centrifuges spun out of control and were physically destroyed. Stuxnet was an extraordinarily sophisticated, multi-step attack that employed at least four separate, previously unknown vulnerabilities in Microsoft operating systems. It is widely believed to be the work of the US and Israeli intelligence services. But while inventing Stuxnet required exceptional skill and resources, copying it does not. Its methods have now been laid out cookbook-style for the edification of aspiring but less gifted operators the world over. Another alarm bell rang in August 2012, when attackers invaded 30,000 computers at the Saudi Arabian oil company Saudi Aramco. Most US officials and well-placed but anonymous private sources in the Middle East attribute these attacks to front organizations operating under the control or direction of the Iranian government. The information on the computers was wiped clean, and the machines themselves turned into junk. The attack failed to disrupt oil production but was highly destructive. Attackers launched a similar but less well publicized attack against RasGas, a company in Qatar that produces liquefied natural gas, during the same month (Reed, 2013; Reuters, 2012; Walker, 2012). The message is no longer deniable: Owners

Downloaded from bos.sagepub.com by David Vincenzetti on September 14, 2013

18

Bulletin of the Atomic Scientists 69(5)

and operators of industrial control systems anywhere in the world must now realize they are vulnerable and face real threats. Attacks against such systems are not science fiction. They will continue to occur, probably with increasing frequency, and they can be undertaken by politically motivated vandals as well as terrorist groups and national states. Since September 2012, US banks have been under intense distributed denialof-service attacks that have disrupted services and have cost tens of millions of dollars to fend off. Anonymous forensic experts in the US government and private sector attribute these attacks to Iran. Denial-of-service attacks are nothing new, but they are now occurring with ferocious intensity, and the banks have not been oblivious to the destruction wreaked on Saudi Aramco and RasGas. If one or more major banks could be taken down, the consequences for the world financial system could be disastrous. Bank security officers have so far stayed ahead of the game, but they are nervous. So are the smarter security officers at major electricitygenerating operations, who realize they are no match for attackers sponsored by a nation-state with first-rate capabilities. Fortunately neither Russia nor China has any interest in launching such an attack, because the aftershocks from economic disaster in the United States could bring them to their knees. Nor do sophisticated state-sponsored criminals want to destroy an economic system they exploit. It is cold comfort, however, when a nation abandons its defense to the goodwill of adversary states and international criminals. And as the attacks on Saudi Aramco, RasGas, and US banks have shownnot to mention Al Qaedas attacks on New York and Londonsome

of Americas adversaries would be happy to see its economy in a shambles. Iran, with its economy crippled by United Nations and Western sanctions, would probably return the favor if it could. Cyber attack capabilities are a matter of expertise rather than capitaland expertise, like water, finds its own level over time. When an attacker gets help from an insider, the time can be quite short.

Getting it right
The goals for any business today are to make itself harder to attack and to limit the damage an attack can inflict. Wherever possible, control systems should be isolated from the Internet. That accomplishes both goals at one stroke. If business executives cant or wont isolate control systems, they must think deeply about strategic defense and resilience. Undoubtedly, some of the challenges involve money and technology. To control risk, managers must know who is on their system, what hardware and software are running on the system, and what traffic is going through the system. Its startling to see how many companies cant do any of these things, and how few can do them all. The prevailing view is that information security is a purely technical problem that the business people should not have to think about. This is a profound erroras if systems can operate securely without reference to how, when, and where they will be used, and by whom; as if information can be secure without regard to rules of access or operations. Breaches are nearly always enabled by multiple factors, and organizational failure and human carelessness are two of the most common. With many companies, the technical issues are fairly straightforward, and

Downloaded from bos.sagepub.com by David Vincenzetti on September 14, 2013

Brenner

19

they are utterly tactical.3 The strategic issue is almost invariably governance. Cyber security involves legal issues, human resources practices and policies, operational configurations, and technical expertise. But none of the people overseeing these areasthe general counsel, the human resources director, the chief operating officer, or the information technology directorowns the problem. This makes cyber security a risk management and governance challenge that must be dealt with at the csuite level, because unless these people attack the problem together, it cannot be managed effectively. Unfortunately, this rarely happens. Network governance is especially difficult for multinational corporations, which must operate under different legal regimes and must often cope with serious intramural rivalries. In many cases, integration is a challenge even within the corporate security apparatus. Operational and physical securityguns, gates, and guardsare traditionally run by the corporate cops. Information security is traditionally run by the geeks in the wire closet. These two groups do not speak the same language, have different social and educational backgrounds, and do not usually get along. But bifurcating security is no longer intelligent. Doors, alarms, and other physical security measures are largely run out of that wire closet now. And when the CEO visits a dangerous place, his or her calendar is probably on Outlook, where it is exposed to potential kidnappers. Unless security is integrated throughout an organization, its hard to get it right. In 99 cases out of 100, when the CEO reads an article like this and asks his chief information officer about it, the CIO says, Dont worry, boss. Weve got this

covered. Verizons most recent annual data breach investigations report, however, says that 69 percent of breaches in 2012 were discovered by third parties (Verizon, 2013). My advice to the boss: You may want to figure this out yourself.
Funding
This research received no specific grant from any funding agency in the public, commercial, or notfor-profit sectors.

Notes
1. The Brazilian government and the utility blamed the blackout on maintenance that failed to remove sooty deposits from insulators. In May 2009, however, President Barack Obama said in a speech: In other countries cyberattacks have plunged entire cities into darkness (White House, 2009). Presidents dont make that kind of statement without validated intelligence. Richard Clarke, former special adviser to President George W. Bush on cybersecurity, referred to Brazil by name in an interview with Wired magazine later that year. 2. The United States cannot be confident that our critical Information Technology (IT) systems will work under attack from a sophisticated and well-resourced opponent utilizing cyber capabilities in combination with all of their military and intelligence capabilities . . . [T]his is also true for others (e.g. Allies, rivals, and public/private networks) (US Department of Defense, 2013: 9). 3. This is based on the authors experience and the companies that he works with directly.

References
Brenner J (2011) America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare. New York: Penguin. CBS News (2009) Cyber war: Sabotaging the system. 60 Minutes, November 8. Available at: www. cbsnews.com/stories/2009/11/06/60minutes/ main5555565.shtml. Reed J (2013) Were last years cyberattacks on Saudi Aramco worse than reported? January 16. Available at: http://killerapps.foreignpolicy.com/

Downloaded from bos.sagepub.com by David Vincenzetti on September 14, 2013

20
posts/2013/01/16/were_last_years_cyber_attacks_ on_saudi_aramco_worse_than_reported. Reuters (2012) Aramco says cyberattack was aimed at production. December 9. Available at: www. nytimes.com/2012/12/10/business/global/saudiaramco-says-hackers-took-aim-at-itsproduction.html. Siemens Totally Integrated Automation (2010) Building a cyber secure plant. September 30. Available at: www.totallyintegratedautomation.com/building-a-cyber-secure-plant/. US Department of Defense (2013) Resilient Military Systems and the Advanced Cyber Threat. Task Force Report for the Defense Science Board, January. Available at: www.acq.osd.mil/dsb/reports/ ResilientMilitarySystems.CyberThreat.pdf. Verizon (2013) 2013 Data Breach Investigations Report. Study conducted by the Verizon RISK Team. Available at: www.verizonenterprise. com/DBIR/2013/. Walker D (2012) Natural gas giant RasGas targeted in cyber attack. SC Magazine, August 31. Available at: www.scmagazine.com/natural-gasgiant-rasgas-targeted-in-cyber-attack/article/ 257050/.

Bulletin of the Atomic Scientists 69(5)

White House (2009) Remarks by the President on securing our nations cyber infrastructure. May 29. Available at: www.whitehouse.gov/the_press_ office/Remarks-by-the-President-on-SecuringOur-Nations-Cyber-Infrastructure.

Author biography
Joel F. Brenner was the inspector general and senior counsel of the National Security Agency from 2002 to 2006 and 2009 to 2010, respectively, and the head of US counterintelligence strategy and policy from 2006 to 2009. He is the author of America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare (Penguin, 2011). He practices law and consults on security issues through Joel Brenner LLC.

Downloaded from bos.sagepub.com by David Vincenzetti on September 14, 2013