The New York Times reported earlier this month that the United States was increasing its cyber attacks on Russia’s power grid. The attacks are seen as a warning against Russian intrusions into US systems, but one that carries a risk of escalation.
The public reporting of previously covert cyber attacks earned a retort from US President Donald Trump, who accused the New York Times journalists of a “virtual act of treason”.
But the story has been useful in generating discussion about the reasons for – and potential consequences of – such actions. It also raises the question of how vulnerable Australia’s power grid is.
So let’s take a look at who is capable of carrying out these kinds of attacks, how they work, and whether Australia is doing enough to protect itself.
À lire aussi :
What’s critical about critical infrastructure?
Are these attacks limited to the US and Russia?
Recent events may be newly reported, but the events themselves aren’t that new. Russian cyber attacks on US infrastructure may have been going on for years. According to the New York Times report, the US may have been undertaking similar intrusions in Russia since 2012.
While the story is limited to discussing cyber conflict between the US and Russia, there are many nation states with the ability to carry out such attacks.
To make things more complex, non-government actors can also launch cyber attacks. That includes individuals, organised crime groups, and proxies for nation states.
Why are we learning about this now?
When we talk about cyber security, and how to defend against threats from nation states, we’re usually talking about protecting confidential information. But when it comes to power grids, confidentiality isn’t particularly important. What is important is continuity of service, also called “availability”.
An adversary’s power availability would be a high-priority target during a conflict. Outside of conflict, the only logical rationale for a nation state to intrude on such systems would be to undertake reconnaissance and deploy malware that can remain dormant until needed.
In this regard, it doesn’t make sense that the US would intentionally leak its efforts, as appears to have been the case. It would prompt Russia to find the malware and, by disclosing intrusion techniques, it would “burn capabilities”.
Additionally, evidence of attacks could lead to an escalation of cyberwar between the US and Russia. Escalation is unlikely as long as responses to counter cyber attacks are undertaken in line with the principles of necessity and proportionality. But the uncertainty of attribution and consequences creates a potential for miscalculation in conducting cyber attacks.
The New York Times article was notable because it suggested the US president gave his commanders authorisation to undertake cyber attacks without his oversight. To avoid miscalculation, a balance is needed between a speedy response in cyber “active defence” and the kind of proper deliberation that will ensure the response is appropriate.
To date, there is no evidence that nation-state delivered attacks have resulted in power outages in the US or Russia. The apparent leak to the New York Times may not relate to a specific counterattack against the Russian power grid. Instead, it may be a form of diplomacy intended to signal US willingness and capability to counterattack.
À lire aussi :
Internet of Things: when objects threaten national security
How are such attacks possible?
Critical infrastructure is a term that refers to chemical production plants, power stations, oil platforms, and water pump stations. The technology that operates such infrastructure is called “operational technology” (OT). OT is a cyber-physical system that controls electricity generators and valves that mix chemicals in vats or transfer gas through pipelines.
To understand the threat, it helps to contrast OT with information technology (IT).
Confidentiality is a primary consideration for IT staff, who are focused on securing data from threats. They are well practised in patching vulnerable systems under their control. In an OT environment, availability is the primary driver, so keeping the plant working is considered more important than protecting against cyber threats.
Another difference between the IT and OT worlds is the lifetime of assets. OT system devices are built to last a long time before replacement. Using legacy OT technology that still works in itself is not a problem, as long as that technology is separated from other systems.
But the IT and OT worlds are converging to enable remote control and access to real-time plant operating data. Aside from the tension between priorities of confidentiality and availability, this convergence opens up OT vulnerabilities to attack.
When OT systems were developed decades ago, there was little thought of security, since most systems were only accessible on-site or through dedicated networks. With IT-OT convergence, keeping systems secure becomes a priority, but not at the expense of availability. Stopping a system, either for an update or due to a cyber attack, results in lost revenue and impact upon customers who could, for instance, lose power to their homes.
Have we seen successful attacks in the past?
Cyber attacks on Ukrainian power stations in 2015 and 2016 affected more than 200,000 customers, and provided lessons for the rest of us.
These events showed that an attack was more than just theoretical in the domain of energy systems. Engineers needed to physically visit each substation to return systems to operation.
As similar technology is used worldwide, the power grids of other nations are potentially vulnerable. Additionally, the malware used to command and control attacks is increasingly available for hire as cyber crime moves to a service-based model. And more sophisticated tools mean attackers require less skill to locate and attack internet connected devices.
How vulnerable is Australia’s power grid?
In 2016, Australia’s Chief Scientist Alan Finkel released a review into the future security of the national electricity market. Following advice that the cyber threat to the national energy market was increasing, Finkel recommended stronger security measures be put in place.
By 2017, some action had been initiated to mitigate threats in the energy sector. Subsequently the Security of Critical Infrastructure Act 2018 was passed. The Act contains elements to help the government better appreciate the risk and to make certain directions to service providers to increase security.
The government is reportedly considering a proposal to enable the Australian Signals Directorate (ASD) to access the networks of companies operating critical infrastructure to defend them against cyber attacks.
In 2018, the Australian Energy Market Operator (AEMO) released the first annual report into the cyber preparedness of the market, identifying that current provisions are inadequate. AEMO has established a framework for operators to assess their security maturity, and strengthen measures.
For many critical infrastructure systems, OT is a sunk investment that would be expensive to replace. Implementing substantial security improvements to upgrade the legacy energy environment will also be expensive, and it’s likely that costs will be passed onto customers. But there are cost-effective ways of improving security, including threat/vulnerability system monitoring. Some companies in Australia are doing this.
Cyber warfare is a reality. We should expect that cyber criminals and nation states adversaries could have some impact our lives in future by attacking critical infrastructure, such as the electricity grid.
Securing our infrastructure is a priority for the government and increasingly recognised as such by the market participants. The cost and need for security mitigations may seem unpalatable to many, but steps need to be taken to prevent a return to the dark ages.
Andrew Dowse is an adviser to Sapien Cyber.
Mike Johnstone is a theme leader (network forensics and response to emerging threats) in the Cyber Security Co-operative Research Centre. He also provides consultancy services to Sapien Cyber.