There has of
course been much written about the cyber attack on Sony, but I have seen
nothing about its implications for control systems, especially in critical
infrastructure like electric power. This
may seem an odd complaint, since it’s not likely Sony had any control systems,
and in any case they wouldn’t be part of what most of us call critical
infrastructure.
Yet I do
think this attack should be profoundly disturbing for all owners or operators
of critical infrastructure. To
understand why this is the case, think of why it has been hard to get many
people to believe there could really be a large-scale attack on CI. In my opinion, a great many decision makers
in critical industries simply fail to see a plausible scenario for such an
attack. We can all understand why Target
was breached, and why banks and other financial institutions are under constant
attack: there is much money to be made from stealing credit card and other financial account information, as well as personal information like
Social Security numbers.
However, the
motive for an attack on critical infrastructure would have to be primarily a
desire to cause destruction and chaos.
Now, there are certainly groups like ISIS and al Qaeda that would
presumably love to do that; but our power grid is already fairly well
protected, and it isn’t likely any of these groups have the capability to
launch the kind of large-scale, long-term effort required to make such an
attack successful.
The entities
that do have that capability are nation-states like Russia and China. But they clearly don’t have the
motivation. Russia and China know that
US retaliation for a large-scale infrastructure cyber attack would be
devastating (and not necessarily limited to cyber weapons). And China, being the largest holder of US
government debt, can hardly be expected to initiate an attack that might
seriously impair the value of their investment.
Yet the
attacker in the Sony case was most likely a nation-state, North Korea; it seems
they have a formidable cyber attack force in operation – on the order of
thousands of cyber warriors. And what
was their motivation for attacking Sony?
Simply to cause as much damage as possible, in a fit of pique over an
upcoming movie. What’s to keep them from
attacking the US power grid the next time they’re unhappy with us? Or for that matter, what’s to keep Iran from
launching an attack if the nuclear talks fail and we impose more sanctions – especially
if they come to feel they have nothing more to lose?
So for the
first time we’ve seen a successful cyber attack, by a nation-state with deep
cyber warfare capabilities, for the sole purpose of creating havoc. And since we know – from Stuxnet and the successful
2008 cyber
attack on an oil pipeline in Turkey – that critical infrastructure can be
destroyed through purely cyber means, we now have all the prerequisites in
place for a devastating cyber attack on North American critical infrastructure.
And folks,
that’s why getting NERC CIP right is so important.
P.S. In case you need to be reminded
(as I did) of the potentially devastating consequences of an attack on the
North American power grid, I refer you to this excellent commentary
piece in the current issue of Power
magazine.
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
I agree that ISIS and other such terrorist organizations aren't really in the position to attack critical infrastructure, but those organizations that have funds are still concerning. There are many groups that outsource their skills to those willing to pay them. The combination of terror groups(with funds) and mercenary like hackers is concerning and not too far fetched.
ReplyDeleteEither way we must remain vigilant