Hack attacks on electricity, water systems already here, says expert
Israeli cyber-security training firm IP-Sec has seen it all – and there’s good reason to worry about hackers turning the lights off, the company says
You don’t have to be paranoid to imagine that one day soon hackers will gain control of an important infrastructure system, like a water distribution system or a power plant – as apparently happened in Ukraine in December, where what are suspected to be Russian hackers used malware to cause a blackout in the country’s Ivano-Frankivsk and other regions.
But what many people should be fearful of is the apparently blasé attitude of many government officials and even industry workers to protecting those infrastructure systems, said Irit Potter, CEO of Israeli security consulting group IP-Sec.
“Governments in the developing world are spending a lot of money to upgrade their communications infrastructure, developing connected smart cities and systems to improve the lives of residents – but security is barely a second thought for many of them,” said Potter on the sidelines of the CyberTech 2016 event in Tel Aviv last week. “We work in many places in Latin America, and we see first-hand how a lax attitude leads to lax security.”
Thousands of people from Israel and around the world converged at Cybertech 2016 to check out the latest in Israeli cyber-defense and detection technology – but that tech can only protect if it is implemented. For various reasons, the need for serious cyber-security has not yet been absorbed in many places in the developing world, said Potter. “In some countries there is more awareness but it is localized, perhaps on a specific server or department. There is no overall awareness and policy-setting in many of these places.”
Certainly not for SCADA (supervisory control and data acquisition) systems, the systems that are usually part of closed networks that traditionally are used to control infrastructure. When an electric company needs to reroute power to different substations, it will use its closed SCADA network to make that change. Unconnected to any other networks – much less the Internet – and accessible only from specific computers, the SCADA systems were considered safe from hackers.
That traditional perception is part of the problem, said Potter. “In many cases, the only way to invade a SCADA network is to physically tap into communications equipment at the site of a substation or other facility, or to take over the power plant itself. But with the innovations involved in smart city technology, it hasn’t yet sunk in for many administrators that their SCADA networks are now just as vulnerable as the Internet – and maybe more at risk.”
Lights out
The Ukraine hack, reported first by computer security specialist ESET, is a perfect example of how this works, said IP-Sec vice-president Moshe Raz.
“Part of the new trend in connected SCADA networks is a conversion from the traditional UNIX systems, which are hard to learn and difficult for hackers to gain control of, to the new user-friendly Windows systems.”
According to ESET, that is apparently what happened in Ukraine; hackers used social engineering to get power plant workers to open infected Microsoft Office documents, which deliver malware that make their way to control systems.
That, the group said, appears to be what caused the December 23, 2015 blackouts. Security officials were able to find the virus and stop it from spreading.
“Although in Ukraine, Christmas is traditionally not celebrated on December 24th and 25th, a group of cyber-criminals has chosen this time of year to deliver a dark ‘present’ to a few hundred thousand people and many more might have also been this ‘lucky’, had the malware not been detected,” ESET said, adding that it was likely Ukraine, and other places, would have to wrestle with this threat in the future as well.
A wake up call
That, finally, may wake up officials to the importance of security – and especially training personnel at infrastructure and other important facilities to deal with security issues, said Potter.
IP-Sec, which has been in business since 2004, does just that, and is considered one of the top security consulting firms in the world on SCADA defense. “We train personnel to identify threats, and help them learn what to do about those threats,” said Potter. Among it customers in Israel are the large majority of large enterprises and government offices – “one of our smaller customers in Israel is the Tel Aviv Stock Exchange,” said Potter – and the group works with governments around the world, and especially in Latin America, to train workers to deal with cyber-attacks.
“We work with organizations for about a year, setting up scenarios that they will have to face in real life, and help them learn how to deal with them on their own,” said Potter. “In addition, we monitor their systems, alerting them on when there is a problem, and advising them on what action to take.” Eventually, it’s expected that the team will be able to handle things on their own. “Each security scenario is custom-designed for customers, so they can get a good sense of what they are up against.”
Even with this intensive training, teams don’t always get it – so one of IP-Sec’s important activities is showing those in charge the bottom line costs of ignoring cyber-security. “Hackers cost companies money – even lives, if systems in places like hospitals are harmed – and for various reasons, not all public officials make the connection between cyber-security and financial security. We make sure they understand that. Once they do, you can believe they are a lot more amenable about ensuring the safety of their systems.”