Cyber attacks on critical infrastructure

Critical infrastructure systems like those driving power generation, water treatment, electricity production and other platforms are interconnected to form the energy “grid”. Although beneficial to the public this grid is vulnerable to cyber-attack by "hacktivists" or terrorists.
  • Power generation and distribution is more complex and connected than ever before
  • Vulnerability of critical infrastructure and technical failures is a real concern among security specialists and insurers
  • Main targets of hacktivists are energy, transportation, public services, telecommunications and critical manufacturing sectors
  • Loss prevention is key to incenting insurers to offer higher limits to encourage customers to buy cyber protection insurance

During a particularly harsh winter, a group of hacktivists spreads panic by bringing down the US power grid. Millions of homes and businesses are plunged into darkness, communications are cut, banks go offline, hospitals close and air traffic is grounded.

Such a scenario sounds apocalyptic, but it is a realistic threat, according to Idan Udi Edry, Chief Executive Officer at Nation-E, a provider of cyber security solutions that safely allow customers to connect their infrastructure to the internet, thereby enabling them to connect and control critical assets remotely and safely.

Critical infrastructure, like power generation and distribution, is becoming more complex and reliant on networks of connected devices. Just decades ago, power grids and other critical infrastructure operated in isolation. Now they are far more interconnected, both in terms of geography and across sectors.

As the US power grid scenario highlights, the failure of one critical infrastructure could result in a devastating chain reaction, says Edry.

Unsurprisingly, the vulnerability of critical infrastructure to cyber-attacks and technical failures has become a big concern. And fears have been given credence by recent events.

In December 2015, the world witnessed the first known power outage caused by a malicious cyber-attack. Three utilities companies in Ukraine were hit by BlackEnergy malware, leaving hundreds of thousands of homes without electricity for six hours.

According to cyber security firm Trend Micro, the malware targeted the utility firms’ SCADA (supervisory control and data acquisition) systems and probably began with a phishing attack.

The blackout was followed two months later by the news that the Israel National Electricity Authority had suffered a major cyber-attack, although damage was mitigated after the Israel Electricity Corporation shut down systems to prevent the spread of a virus.

The energy sector is one of the main targets of cyber-attacks against critical infrastructure, but it is not the only one. Transport, public sector services, telecommunications and critical manufacturing industries are also vulnerable.

In 2013, Iranian hackers breached the Bowman Avenue Dam in New York and gained control of the floodgates. Oil rigs, ships, satellites, airliners, airport and port systems are all thought to be vulnerable, and media reports suggest that breaches have occurred.

Cyber-attacks against critical infrastructure and key manufacturing industries have increased, according to US cyber-security officials at Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the US government body that helps companies investigate attacks against ICS and corporate networks.

It reported a 20% increase in cyber investigations in 2015, and a doubling of attacks against US critical manufacturing.

Over the years, a wide range of sectors have become more reliant on industrial control systems – such as SCADA, Programmable Logic Controllers (PLC) and Distributed Control Systems - for monitoring processes and controlling physical devices, such as pumps, valves, motors, sensors etc.

The most high profile example of a cyber-attack against critical infrastructure is the Stuxnet computer virus. The worm, which targeted PLCs, disrupted the Iranian nuclear program by damaging centrifuges used to separate nuclear material.

The incident caused concern because Stuxnet could be adapted to attack the SCADA systems used by many critical infrastructure and manufacturing industries in Europe and the US.

In one of the only public examples of a SCADA attack, a German steel mill suffered major damage after a cyber-attack forced the shutdown of a furnace, the German Federal Office for Information Security reported in 2014. The attackers used social engineering techniques to gain control of the blast furnace systems.

Cyber-attacks against critical infrastructure and manufacturing are more likely to target industrial control systems than steal data, according to the Organization of American States and Trend Micro.

Their research found that 54% of the 500 US critical infrastructure suppliers surveyed had reported attempts to control systems, while 40% had experienced attempts to shut down systems. Over half said that they had noticed an increase in attacks, while three-quarters believed that those attacks were becoming more sophisticated.

According to Edry, hackers are becoming much more interested in operational technology, the physical connected devices that support industrial processes. “The vulnerability and lack of knowledge of operational technology is the most dangerous thing today,” he says.

As an example, he cites a cyber-attack against a New York City office block in which a hacker accessed the building management systems – which can control power, communications, security and environmental systems - via a connected vending machine. The building shutdown resulted in estimated damage of $350m from lost business, he says.
However, the security of industrial control systems and connected devices has fallen behind that of IT systems. Many of the connected devices used by industry are based on serial communication technology – which Edry likens to the beeps and squeals associated with the old-style internet dial-up.

Edry believes that operational technology is a vulnerable and poorly protected element of cyber security. While IT infrastructure has given rise to an army of cyber security consultants, products and services, industrial control systems by comparison are not well served, he says.

The problem is not about to go away. In fact, cyber-attacks against physical operating technology look set to increase with the growing use of connected devices.

For example, the convergence of the digital and physical worlds is set to accelerate with the “Internet of Things” (“IoT”), which will see more and more everyday devices embedded with electronics that collect information and connect to a network.

Consumer devices are increasingly becoming connected – such as wearable technology, smart devices, domestic appliances and children’s toys. So, too, are our homes and cars.

According to Edry, growing digitalization and the “IoT” could create a perfect cyber security storm.

He notes that, where a company would once have control over its systems, physical networks and servers, the trend has been to run devices, software and data through virtual networks, such as cloud computing. “Even the network is now off the network,” he says.
Confidence in data and systems security is key if society is to benefit from the potential efficiencies that the “IoT” can bring. And public confidence is just as important for the SCADA systems that keep aircraft in the air as it is for the IT platforms that underpin mobile banking.

For example, in the past year a number of airlines have suffered from technical issues and cyber-attacks that erode consumer confidence.

Polish national airline LOT grounded planes in June 2015 after its flight plan system was disabled by hackers in a Distributed Denial of Service (DDoS) attack. Weeks later in July, United Airlines grounded its fleet after suffering a technical fault.

“The digital age is here. We can’t prevent it. It is becoming part of us. But we see news headlines of breach after breach. We are losing our confidence in the digital age,” says Edry.

He believes that more needs to be done to deter cyber criminals, and to protect operational technology.

The cost of creating a successful attack is small for cyber criminals, which is why there are now so many attacks, explains Edry.

“We have seen that as the cost of launching a successful attack has gone down, the number of attacks has risen. So we need to develop technology to increase the cost of successful attacks,” says Edry.

“We can’t stop 100% of attacks, but we can create technology to increase the cost so that the hacker says: ‘I don’t want to deal with this organization as it will cost me a lot of time and computer resource,” he says.

“If we can prevent the damage, it will incentivize insurers to offer higher limits and give customers more incentive to buy.”
Recent years have seen growing concern about the vulnerability of industrial control systems (ICS), which are used to monitor or control processes in industrial and manufacturing sectors. An attack against an ICS could result in physical damage, such as a fire or explosion, as well as business interruption, says Nigel Pearson, Global Head of Fidelity, AGCS. “A number of ICS still used by manufacturing and utilities companies today were designed at a time before cyber security became a priority issue,” he explains.

In addition, ICS are also vulnerable to both technical failure and operator error as well, which can be much more frequent and severe in terms of impact and are often not captured in cyber reports, adds Georgi Pachov, Global Practice Group Leader Cyber, CUO Property AGCS.

While ICS are a particular issue for the energy sector, similar cyber-related physical damage and business interruption risks exist in other industries. For example, car manufacturing plants rely on robots to make and assemble vehicles. Should a robot be hacked or suffer a technical fault, a production line could be interrupted for hours or days, at a potential cost of tens of millions of dollars per day. And the potential cost of damages could be even higher from an incident involving security-sensitive facilities such as nuclear power plants, laboratories, water suppliers or large hospitals.

Research estimates the economic and insurance impact of a severe, yet plausible cyber-attack against the US power-grid to total in excess of $240bn, possibly even rising to more than a $1trn.

According to a report from Lloyd’s and the University of Cambridge’s Centre for Risk Studies, Business Blackout:

  • Attackers are able to inflict physical damage on 50 generators which supply power to the electrical grid in the Northeastern US including New York City and Washington DC
  • This triggers a wider blackout which leaves 93 million people without power
  • Insurance claims arise in over 30 lines of insurance. Total insured losses are estimated in excess of $20bn, rising to $70bn+ in the most extreme version of the scenario. The $1trn business blackout
Read this article in Global Risk Dialogue. Appearing twice a year, Global Risk Dialogue is the Allianz Global Corporate & Specialty magazine with news and expert insights from the world of corporate risk.
Sign up to e-update
Allianz operates as an international insurer on almost every continent. Find Allianz in your own country/region.
With the Allianz network AGCS provides services in over 200 countries and territories.