During a particularly harsh winter, a group of hacktivists spreads panic by bringing down the US power grid. Millions of homes and businesses are plunged into darkness, communications are cut, banks go offline, hospitals close and air traffic is grounded.
Such a scenario sounds apocalyptic, but it is a realistic threat, according to Idan Udi Edry, Chief Executive Officer at Nation-E, a provider of cyber security solutions that safely allow customers to connect their infrastructure to the internet, thereby enabling them to connect and control critical assets remotely and safely.
Critical infrastructure, like power generation and distribution, is becoming more complex and reliant on networks of connected devices. Just decades ago, power grids and other critical infrastructure operated in isolation. Now they are far more interconnected, both in terms of geography and across sectors.
As the US power grid scenario highlights, the failure of one critical infrastructure could result in a devastating chain reaction, says Edry.
Unsurprisingly, the vulnerability of critical infrastructure to cyber-attacks and technical failures has become a big concern. And fears have been given credence by recent events.
In December 2015, the world witnessed the first known power outage caused by a malicious cyber-attack. Three utilities companies in Ukraine were hit by BlackEnergy malware, leaving hundreds of thousands of homes without electricity for six hours.
According to cyber security firm Trend Micro, the malware targeted the utility firms’ SCADA (supervisory control and data acquisition) systems and probably began with a phishing attack.
The blackout was followed two months later by the news that the Israel National Electricity Authority had suffered a major cyber-attack, although damage was mitigated after the Israel Electricity Corporation shut down systems to prevent the spread of a virus.
The energy sector is one of the main targets of cyber-attacks against critical infrastructure, but it is not the only one. Transport, public sector services, telecommunications and critical manufacturing industries are also vulnerable.
In 2013, Iranian hackers breached the Bowman Avenue Dam in New York and gained control of the floodgates. Oil rigs, ships, satellites, airliners, airport and port systems are all thought to be vulnerable, and media reports suggest that breaches have occurred.
Cyber-attacks against critical infrastructure and key manufacturing industries have increased, according to US cyber-security officials at Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the US government body that helps companies investigate attacks against ICS and corporate networks.
It reported a 20% increase in cyber investigations in 2015, and a doubling of attacks against US critical manufacturing.
Over the years, a wide range of sectors have become more reliant on industrial control systems – such as SCADA, Programmable Logic Controllers (PLC) and Distributed Control Systems - for monitoring processes and controlling physical devices, such as pumps, valves, motors, sensors etc.
The most high profile example of a cyber-attack against critical infrastructure is the Stuxnet computer virus. The worm, which targeted PLCs, disrupted the Iranian nuclear program by damaging centrifuges used to separate nuclear material.
The incident caused concern because Stuxnet could be adapted to attack the SCADA systems used by many critical infrastructure and manufacturing industries in Europe and the US.
In one of the only public examples of a SCADA attack, a German steel mill suffered major damage after a cyber-attack forced the shutdown of a furnace, the German Federal Office for Information Security reported in 2014. The attackers used social engineering techniques to gain control of the blast furnace systems.
Research estimates the economic and insurance impact of a severe, yet plausible cyber-attack against the US power-grid to total in excess of $240bn, possibly even rising to more than a $1trn.
According to a report from Lloyd’s and the University of Cambridge’s Centre for Risk Studies, Business Blackout: