Analysis: Have cyber attacks against critical infrastructure stopped being just a scary theory?

Attacks on critical infrastructure are already becoming a key theme in 2016. At the start of the year it was revealed that Russian based hackers had attacked the Ukranian power grid, leaving thousands of people of people without electricity.

Then, on the 26th January 2016, Israel’s Minister of Infrastructure, Energy and Water, Yuval Steinitz revealed that the country had had to fight off the largest cyber attack in its history, which was targeted at the Electric Authority in the country.

That ransomware attack resulted in computers having to be shutdown for two days in order to contain the attack.

The fallout from the Ukranian attack continues too, with consultant, Oleh Sych, telling Reuters that another Ukrainian energy company had been hit by a lesser attack back in October, bring the total number of firms affected to four, and that similar malware had also been identified by the antivirus firm Zillya! which he works for.

Sych said that "we’re living on a powder keg. We don’t know where else has been compromised. We can protect everything, we can teach administrators never to open emails, but the system is already infected."

Sian John, Chief Strategist at cyber security firm Symantec, said that these recent incidents prove that cyber security attacks against critical infrastructure are moving beyond the theoretical and into reality.

"It is real," she told CBR. "It all cames down to when is there going to be a return on investment for the hackers, when it actually goes from theoretical to real when it actually is a benefit to doing that.

"We’re at the beginning of it. Some of that is it a level where it’s very difficult to protect, you get the sort of nation state level all you can do is respond."

The rise of these attacks requires a wide approach, and appreciating that you are not going to be able to stop every attack, she said: "If the 80/20 does really apply you need to put a lot of effort into stopping the 80% and ensure you can detect and respond quickly to the 20%."

Nation states attacks are most likely to fall into that 20% of attacks that are almost impossible to prevent, and just need to be detected and dealt with. Although, "Some of them you’ll catch in the bottom end," said John.

It is not known who was responsible for the attack on the Israel Electric Authority, although Russian state attackers are largely thought to be responsible for the Ukraine attack that took out the power. However, that could change as motivated individuals decide to go after large utility companies and critical infrastructure.

"I’m saying nation state," said John, "but it could become some hacker who’s got a determined aim at you at some point as a utility or connected critical infrastructure.

"They have to have enough determination to keep going."

It is the highly motivated nature of these attackers, and the damage that they can cause, that requires a change of thinking from all those involved in protecting critical infrastructure, she said:

"We’ve got that move from pure prevention to detection and response as well. It’s that whole doing everything I can to keep it out, but ensure that if it does get in I can detect and respond to it quickly. I think that’s really the core."

Reassuringly, John thinks that the UK government is actually taking this issue seriously, and has been doing so since the launch of its cyber strategy back in 2011. She said that very high level discussions around the issue are happening too, discussions that even major firms like Symantec are not really involved in.

"I do think actually in the UK that we’ve got a very mature understanding of that from both our critical infrastructure companies and from the UK government," she said. So you look at the last 5 years of the cyber strategy they quite rightly spent a lot of that and investment to try and get early warning and intelligence to feed into people like critical infrastructure companies to them low."

This will also be boosted by the doubling of investment in cyber security that Chancellor George Osborne announced in the run up to the Autumn Statement, which is designed to boost the UK’s cyber defence capability.

"The focus is on making sure companies are doing the right thing to protect themselves," said John.

Of course, this can only go some way to allaying fears, given that in moth other sectors most people accept that cyber breaches are a matter of when, not if.

It is often though that IoT, and wearables are the actor vectors that we should be really worried about. While John does think that in the IoT space the security risks around embedded medical devices do need to be taken seriously, defending our critical infrastructure is remaining a priority for government and security professionals alike.