Our Critical National Infrastructure Is Possibly Not A Resilient As You Might Think

Our Critical National Infrastructure Is Possibly Not A Resilient As You Might Think

We have moved into the 21st Century, and our world embraces all the benefits that it brings, but could it all come crumbling down? What it we had a major failure of connectivity to the Internet? What would happen if parts of our energy network failed? What would happen if another country attacked critical national infrastructure? Could we cope?

Introduction

Yesterday was a strange day for me. In the morning I was giving a presentation on Brexit and Innovation in Glasgow, and then I was back in Edinburgh for my PhD’s Viva (which was a great success). But I perhaps got a glimpse of a future time where there was a major outage of the Internet. People arriving at the conference in the morning reported that their network connections to O2 were failing. Around the UK many interconnected services were failing too, including failures within card payments, and on public transport.

The data outage happened around 5:30am, and it was thought that it affected around 32 million people in the UK. Currently, O2 has over 25 million customers in the UK (26% of the market), and also supply many other providers (including GiffGaff, Sky, and Tesco). There has since been finger-pointing as to the source of the problem, with some saying that it related to a fault with Ericsson’s equipment. In London, bus displays failed to show the schedule, as each of them have an O2 sim to receive the real-time information. But travelers who didn’t use O2 still couldn’t receive information of their smart phone, as the buses themselves also send their location data over the O2 network.

As we have moved to a world where we rely on our phone to pay for our parking or to even buy coffee, and an outage like this shows that we must worry that our network is not quite as resilience as it could be. Many of our interconnected services use the 3G network as a back-haul network, and a failure of this can cause other related services to fail. If our water or energy supply caused large scale outages such as this, we would immediately call for investment to safeguard our supplies. But ‘always-on’ connectivity is now such as part of our world, that a loss of connectivity could have serious consequences for our economy.

NIS

In August 2017, the Department of Digital, Culture, Media and Sport (DCMS) announced that organisations could face a fine of 4% of global turnover or £17 million for the failure of critical infrastructure, including within energy, water, transport, and health [consultation]. Overall it is part of the UK’s response to an EU directive on Network and Information Systems (NIS), and levies the same levels of fines of GDRP (which focuses on data protection).

This cames on the back of recent power-related outages at BA and Capita, which led to serious problems their systems. A key focus is that organisations will be required to prove that they have a disaster recovery plan in place, and have plans to enact it on serious incidents.

No “if” … but “when”

It is not “if” … but “when” … cyber warfare will happen sometime, soon, and is likely to be the first phases of warfare between two countries. When the NATO Treaty was signed, there was no such thing as a cyber attack, and many countries are now debating whether a cyber attack could constitute an act of war. Unfortunately, while cyber espionage is commonplace, the legal system of most countries has not crystallised the concept of cyber warfare. With cyber espionage, there is no physical damage and it does not do any physical harm, but cyber warfare could cost many lives. Many worry that a perceived cyber attack from a rogue group could be mistaken for a nation-state attack, and then trigger war between countries.

In traditional warfare, the first targets are often to disable the energy network, destroy the bridges and disable the communications networks. Over the past year, we have seen of how this could play out, with probing attacks again the power network and in Denial of Service attacks against network infrastructures.

One thing we learnt from the recent BA and Capita outages, was that no electrical power leads to no IT. And so we must worry about the security of our power supplies, as they are probably the one thing that could bring a country to its knees.

Continual probing

Recently it was announced by the Wolf Creek facility in Kansas that at least 12 energy companies have been targeted with a cyber attack, and which includes one nuclear power plant. While the attacks were mainly on the administrative operation of the plant, there is a worry that attackers could target the control systems involved.

In a well-designed power plant, the control systems are strongly segregated from the administration network. Another report identified that intruders had tried to crack a Wolf Creek employee’s password and that there were traces of booby-trapped emails for password harvesting.

A large scale outage for a country could thus have devastating economic and social impacts. We often think that malware code will only affect software systems, but Stuxnet changed all this, with the opportunity of doing physical damage to equipment. With possible nation-state funded activities around the take-down of the power network, the risks have never been higher, especially in the creation of sophisticated and targeted attacks.

Ukraine attack

A cyber attack on the power supply network happened on an electrical transmission station near the city of Kiev (Ukrenergo), in December 2016, and resulted in a black-out for around 20% of the Ukraine population. Luckily it only lasted for one hour, but many think that it was just a test — a dry run — for a more sustained attack.

This attack has now been traced to the Crash Override (or Industroyer) malware. A previous attack on the Ukranian power infrastructure, in 2015, involved the manual switch off of power to substations, but the newly discovered malware learns the topology of the supply network — by communicating with control equipment within the substations — and automatically shutdown systems.

The company who analysed it (Dragos) think that it could bring down parts of the energy grid, but not the whole of it, and that the activation date of the malware sample was 17 December 2016. They also defined that the malware can be detected by looking for abnormal network traffic, such as looking for substation locations and probing for electrical switch breakers.

At present it is not known how the malware managed to get into the network, but many suspect it may have been sent through phishing emails (as with the 2015 attack). Overall Crash Override infected Microsoft Windows machines within the target network and then maps out control systems in order to locate the key supply points, along with recording network activity which can be sent back to the controls of the malware.

After the discovery phase, it is thought that Crash Override can load-up one of four additional modules, and which can communicate with different types of equipment (such as for Honeywell and Siemens systems). This could allow it to target other electrical supply networks within different countries.

Doing damage?

Another feature of the malware is that it could potentially damage to electrical equipment, and case a large-scale outage. With this the malware was seen to disable the Siemens Siprotec digital relay (see graphic on the right-hand side), and which is used to shut down electrical equipment if a dangerous surge is detected. The malware, though, sends a specially crafted data packet to the device, and then take it offline (where it requires a manual reboot to get it back online).

This shutdown would mean that if the electrical supply was overloaded, the system would not shut itself down, and could thus cause significant damage to the supply network. This type of damage could cause the whole of the supply network to trip, as it cascaded.

In the teardown process, the malware destroys all of the files it has infected and tries to cover its tracks.

Previously, in 2009, Stuxnet, thought to have been distributed by the US and Israel, was used to attack an Iran nuclear enrichment facility.

So what?

A study by Cambridge Centre for Risk Studies, for example, estimates that a large-scale power outage in the UK would result, in the worst case, of losses over five years of £442 billion from UK GDP. They conclude that the most plausible route would be to bring down the substations and cause blackouts for up to 13 million people, for several weeks at a time.

Tripwire recently surveyed 150 IT professionals in the energy industry and found that the number of attacks on their infrastructure were increasing and that 77% of recent attacks had been successful in some way. Overall 68% said that rate of success in the attacks had increased by 25% as opposed to the previous month. For the source of the attack, 78% reported attacks from external sources, and 30% reported the attacks related to an insider (either someone working in the company or an ex-employee).

In conclusion, 83% of them thought that their companies were not confident in coping with a cyber attack. To create a balance they reported that 78% of them were confident that their organisations could detect sensitive and confidential information.

Jack Harrington, from Raytheon, tells it like it is, and that our electrical supply is:

critical is to our daily comfort and ultimately our survival

and that they are vulnerable to cyber terrorists. He states the cases of power supplies being affected in the Ukraine, and by white hat hackers in the Midwest, where RedTeam managed to gain access to a number of electrical power stations (often using social engineering methods):

You can see how easy it was for the RedTeam to gain access to supply stations, and you worry that others with a more malicious intent could cause chaos in other countries. With no electrical supply data centers, ISPs, and all the other key services would fall like dominoes. The attacks on SCADA systems, for example, has risen by more than 100% over the past year. A large-scale black-out in the North-East US in 2003 caused considerable problems, and where the power network was tripped by a fault on the lines.

Conclusions

Network outages for our back-haul should be measured in seconds and not hours or days. We need to make sure that we are not dependent on the failure of any part of the network. As we increasingly live our lives on-line, we have integrated with services which need that ‘always-on’ service, so we must make sure that it is always there. While companies are fined for data breaches until GDPR, there is also another EU directive — NIS — and which relates to critical national infrastructure. If we want to build new health care systems and smart cities, we need the network to be there, so we need accountability whenever this type of event happens, in order that it does not happen in the future.