What Scares Me about the Sony Hack

There has of course been much written about the cyber attack on Sony, but I have seen nothing about its implications for control systems, especially in critical infrastructure like electric power.  This may seem an odd complaint, since it’s not likely Sony had any control systems, and in any case they wouldn’t be part of what most of us call critical infrastructure.

Yet I do think this attack should be profoundly disturbing for all owners or operators of critical infrastructure.  To understand why this is the case, think of why it has been hard to get many people to believe there could really be a large-scale attack on CI.  In my opinion, a great many decision makers in critical industries simply fail to see a plausible scenario for such an attack.  We can all understand why Target was breached, and why banks and other financial institutions are under constant attack: there is much money to be made from stealing credit card and other financial account information, as well as personal information like Social Security numbers.

However, the motive for an attack on critical infrastructure would have to be primarily a desire to cause destruction and chaos.  Now, there are certainly groups like ISIS and al Qaeda that would presumably love to do that; but our power grid is already fairly well protected, and it isn’t likely any of these groups have the capability to launch the kind of large-scale, long-term effort required to make such an attack successful.

The entities that do have that capability are nation-states like Russia and China.  But they clearly don’t have the motivation.  Russia and China know that US retaliation for a large-scale infrastructure cyber attack would be devastating (and not necessarily limited to cyber weapons).  And China, being the largest holder of US government debt, can hardly be expected to initiate an attack that might seriously impair the value of their investment.

Yet the attacker in the Sony case was most likely a nation-state, North Korea; it seems they have a formidable cyber attack force in operation – on the order of thousands of cyber warriors.  And what was their motivation for attacking Sony?  Simply to cause as much damage as possible, in a fit of pique over an upcoming movie.  What’s to keep them from attacking the US power grid the next time they’re unhappy with us?  Or for that matter, what’s to keep Iran from launching an attack if the nuclear talks fail and we impose more sanctions – especially if they come to feel they have nothing more to lose?

So for the first time we’ve seen a successful cyber attack, by a nation-state with deep cyber warfare capabilities, for the sole purpose of creating havoc.  And since we know – from Stuxnet and the successful 2008 cyber attack on an oil pipeline in Turkey – that critical infrastructure can be destroyed through purely cyber means, we now have all the prerequisites in place for a devastating cyber attack on North American critical infrastructure.

And folks, that’s why getting NERC CIP right is so important.

P.S. In case you need to be reminded (as I did) of the potentially devastating consequences of an attack on the North American power grid, I refer you to this excellent commentary piece in the current issue of Power magazine.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.