The vulnerability of critical infrastructure, including energy grids, to cyberattacks has been a growing concern worldwide. Many nations have been scrambling to improve their defenses vis-à-vis threats faced by services that are critical to the continuity of our daily lives.

The US Government is forming a new office within the Department of Energy (DOE) with an eye toward protecting the nation’s electrical grid and other infrastructure from cyberattacks and natural disasters, according to an announcement on Wednesday.

A total of $96 million in funding is to be earmarked toward the new Office of Cybersecurity, Energy Security, and Emergency Response (CESER). The US administration is looking to increase spending on IT and cybersecurity by 5.2 percent to $80 billion.

The vulnerability of critical infrastructure, including energy grids, to cyberattacks has been a growing concern worldwide. A few months ago, for example, US authorities issued a warning that since at least May 2017 threat actors had been penetrating the networks of operators of nuclear power stations and other energy facilities in the US and beyond.

The dangers have executives of electric utilities worried, too. A global survey by Accenture in 2017 showed that half these executives worldwide believe that their countries are facing either a moderate or significant likelihood of electricity supply interruption due to a cyberattack within the next five years. At the same time, only less than one-half think that they are well prepared to restore normal network operation in the scenario of a cyberattack causing service interruption.

Many nations have been scrambling to improve their defenses vis-à-vis threats faced by services that are critical to the continuity of our daily lives. The EU’s member states, for example, have until this May to transpose the Network and Information Security (NIS) Directive into their national bodies of law. This legislation is intended to make sure that operators of essential services have robust systems in place to fight off cyber-incursions.

A quick trip down the memory lane

Recent years have afforded us a number of examples of how much havoc can be wrought by incursions into power plant systems.

Ukraine has experienced two cyberattack-induced blackouts. In a first-of-its-kind attack in December 2015, malware known as BlackEnergy, cut power supplies to around 250,000 homes for several hours. A year later, an hour-long power outage hit parts of Kiev and nearby areas. ESET researchers later analyzed samples of malware detected by ESET as Win32/Industroyer and concluded that it was most probably this malicious code that had been used in the latter incursion.

More recently, it emerged in December 2017 that malware called ‘Triton’, or ‘Trisis’, had enabled attackers to wrest control of the safety system at an unknown industrial plant in the Middle East and to halt its operations. The attack leveraged a zero-day vulnerability in safety-controller firmware, also using a Remote Access Trojan (RAT); that attack was deemed to be “the first designed to specifically impact safety-instrumented systems”.

There have also been incidents that were not aimed against specific infrastructure systems, such as when a tiny computer worm called SQL Slammer infected 75,000 machines within minutes of its release in 2003 and its victims included the Davis-Besse nuclear power plant in the US. The worm disabled the plant’s safety monitoring system for up to five hours and exposed the risks of connecting plant systems to corporate networks. Fortunately, the facility had been offline for nearly a year prior to the incident.

Now, clearly a long time has passed since the time an Australian man remotely broke into a computerized waste management system and sent millions of liters of raw sewage into parks and waterways on the Sunshine Coast in Queensland, Australia, in 2000. However, the critical infrastructure ecosystem continues to face serious challenges, as organizations manage the infrastructure using operating systems that are obsolete, vulnerable, and yet connected to the internet.