Just last week CNN ran a video, and plastered across the screen were these words: “You can definitely cripple an entire country: fear Syrian hackers may retaliate against U.S.” It was similar to a story ran by Reuters just prior to August’s Black Hat conference where new research was able to “wreak havoc on critical U.S. infrastructure, even causing explosions.”

When discussing cyber threats surrounding U.S. infrastructure, there’s a certain walking-on-eggshells aspect, if only because everything surrounding industrial control systems and SCADA has become so closely associated with doomsday scenarios: mass blackouts, explosions, poisoned drinking water, chaos, acts of war.

The president, government officials and cybersecurity experts have all voiced the same concern, a concern voiced by head of the National Security Agency Gen. Keith Alexander that we reported on months ago: no one wants to start a war, but if they wanted to, they could.

Part of the problem with the discussion around infrastructure is that it’s so wide-reaching.

“My total objection is using the phrase critical infrastructure,” said Fred H. Cate, distinguished professor and C. Ben Dutton professor of law at the Indiana University Maurer School of Law and director of the Indiana University Center for Applied Cybersecurity Research. “I think the administration is out of its mind. What infrastructure isn’t critical? Car systems, train systems, the ATM network – tell me a not critical system in our economy. And so what you end up with when you talk about critical infrastructure, you talk about everything. And it’s a meaningless concept.”

But when it comes to doomsday, worst-case scenarios, you can’t get bigger than nuclear.

Could Hackers Cause a Nuclear Disaster?

There are 104 nuclear power reactors licensed to operate at 65 power plants across the U.S. There have been occasional accidents in the U.S. – three mile island, a spill that closed a plant for seven months in 2006, a worker who was killed earlier this year when part of a generator fell – but nothing large-scale on the cybersecurity front.

“In the United States, ever since 3-mile island, the nuclear industry knows they have been under the spotlight safety-wise,” said Andrew Ginter, vice president of industrial security with Waterfall Security. “The number one priority on pretty much any control system network you’ve ever been to is safety. Second priority is reliability. If you make a change to a control system network, the first question that goes through the mind of the control system engineer who is making that change – their first question – is first and always, ‘How likely is this change to kill anyone? How likely is this change to cause a public safety hazard? How likely is this change to cause an environmental catastrophe?’”

Nuclear cyber-attacks may provoke the most instinctive gut reaction in the general public due to the magnitude of risk involved, but it’s precisely that risk, and the increased regulation around that risk, that makes it secure.

“The place where I don’t worry so much about SCADA attacks is where you already have a reason to have lots of duplication. Nuclear is the perfect example,” Cate said. “You’ve got backups of backups of backups, and that just makes it harder to do a network-based attack that really causes damage because another system is going to be triggered.”

Unidirectional Communication

Nuclear faces much stricter regulation. As Ginter wrote in 2011: “The latest nuclear security rules give two choices: either air-gap the most sensitive control networks, or use unidirectional technologies to let data out of those networks, but let nothing back in.”

An “air gap” essentially means making sure the the system is isolated, or “unplugged” from other networks. Unidirectional gateways, on the other hand, tend to give the best of both worlds, connection and security. Data comes out, but nothing is allowed back in. It’s a one-way street, so inserting malware or performing other kinds of exploits is very difficult.

As a 2010 Waterfall Security document put it, “the Industrial Network and critical assets are physically inaccessible from the business network and thus 100% secure from any online attack.”

“The Chinese hackers break into the corporate network, and they want to go wreak some damage on nuclear control systems – they can’t. There is physically no way to send any signal back into those control systems,” Ginter said, then cautioning, “Nobody in the industry is complacent. Nobody says they’re hacker proof.”

Every system has its issues. Even if they’re unidirectional, there’s still the issue of how to get software updates and security patches. Even if they’re completely disconnected, there’s still the insider threat to worry about.

Critical Infrastructure a 3 out of 10?

In June Gen. Alexander testified before a Senate committee, grading the the critical infrastructure of the U.S. a three out of ten. While the number of high-risk nuclear targets sits under 100, when you expand the view to include all electric and water systems, that number skyrockets.

For example, the Environmental Protection Agency estimates that there’s approximately 155,000 public water systems in the U.S. As a hacker targeting infrastructure, that’s a lot of potential targets. Trend Micro researcher Kyle Wilhoit wanted to know just how easy it was for hackers to get into some of these types of systems, so he set up “honeypots,” essentially fake water control systems that would mimic the online control systems used by U.S. utilities. It only took 18 hours for the first hacking attempt.

“In the state of Indiana we have 99 different water treatment processors,” Cate said. “They’re all mom-and-pop. None of them are big, and that’s where I would be worried. I’m not worried about the nuclear power plant that’s hugely regulated and run by a gigantic industry.”

Just take a look at some of the water systems in the U.S.:

  • 77 percent of community water systems are classified as either small or very small (meaning they serve from 25 to 3,300 people)
  • There’s also over a 100,000 non-community water systems, which are systems found at at things like schools, factories, hospitals and campgrounds
  • Of those non-community water systems, over 96 percent are in the small or very small category

Understanding infrastructure and the problems surrounding it can be difficult, as it’s such an inclusive term and various aspects are often mashed together in their reporting. For example, a research exploit used to hijack a water plant that serves a thousand people is often lumped together with Manhattan’s electrical grid and nuclear power plants in the same report – without any distinction.

“The Trend Micro stuff is typical of very small water systems. You go talk to any of the big water systems and say, ‘Are you connected to the internet?’ and they look at you funny and go, ‘Why? Do you know something I don’t?’ because no, they’re not connected to the internet. It’s heresy to connect a control system to the internet, even with a firewall in between,” Ginter said. “A nuclear power plant connected to the internet?” he said, laughing. “Are you nuts?”

But when it comes to these small-scale operations, things are much different, and the people we spoke to all agreed: many of these types of places don’t know what they’re doing in terms of security, and even finding the right person to educate can be a challenge in itself.

So Why Are They Connected to the Internet?

“One of the most notable reasons SCADA systems are connected to the Internet is so that designated employees can have remote access to the network from their respective mobile devices and home systems,” said Sean Bodmer, chief researcher, counter-exploit intelligence at CounterTack. “This allows them to address any possible disruptions to their services regardless of where they are or the time of day. There is a legitimate need for remote access, but I’m fairly certain not at the scale it is being used today.”

In late 2012 it was reported that researchers had identified 7,200 internet-connected critical infrastructure systems, and while large scale power plants and infrastructure generally aren’t connected directly to the internet, most systems are connected at least indirectly.

“There are connections through networks that reach ultimately out to the internet in most of these control systems, but there’s layers upon layers of firewalls and anti-virus and intrusion detection and other protections between control systems and the internet,” Ginter said. “The smaller the organization, the fewer layers they tend to be. The less sensitive the organization, the fewer layers there tend to be. In nuclear, you’ve got some very strong layers.”

In 2012 the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to 198 reported cyber incidents, 41 percent of which were against the energy sector and 15 percent which were against the water sector. They also tracked 171 unique vulnerabilities affecting ICS products.

Show Me the Money!

Most of the facilities using SCADA systems are privately owned, and so there is a natural tendency to view the regulations as a costly burden. That is essentially what Reps. Edward J. Markey, D-Mass., and Henry A. Waxman, D-Calif. discovered when they requested information from 150 utilities across the nation. Most of those surveyed indicated that they hadn’t implemented any of the North American Electric Reliability Corporation (NERC) voluntary recommendations.

“I’ve heard one utility in the power space after another talk about NERC CIP and say the words – and I’ll try to quote this best I know – ‘We have an obligation to our rate payers and to our shareholders to minimize compliance costs. We see NERC 6 as a compliance burden, not a security obligation. And we are going to do everything we can to minimize the cost of compliance,’” Ginter said.

It all comes down to how people assess risk. The military assesses risk based on capabilities: how capable are our defenses, how capable are enemies, and when we match those up what will happen? Others use an actuarial-style approach: how many times have we been attacked and at what cost – like an insurance approach.

“I’m just looking at this from the outside – but it seems to me they’re using an actuarial approach to risk analysis when they should be using a capabilities-based approach.You can be certain that General Alexander is using the capabilities-based approach,” Ginter said.
That difference in risk assessment helps explain, in part, the gap in perception between those who profess huge security holes and those who think the problem is overblown.

What’s Vulnerable?

“In my opinion, it’s probably not as bad some of the rhetoric, as the people with the skills to damage these systems don’t really have a motive for doing so,” said Richard Henderson, security strategist for Fortinet’s FortiGuard Labs, via email. “But the flip side of that coin is that it’s very likely they could cause some significant damage to the grid if they wanted. Keep in mind though — it’s virtually guaranteed that we also have the ability to disrupt these same systems in foreign power plants, but there hasn’t been anything that’s made it to light that indicates we’ve used that ability.”

The devices being used are quite common, so if a potential attacker is able to gather any information on the models and types of SCADA devices being used, there’s a good chance they can find an exploit, Henderson said. “In cases of the very well-funded groups, it’s entirely likely that they have real-world labs set up running the same pieces of ICS hardware in order to really dig into them looking for flaws and exploits.”

And as Bodmer said, a lot of the systems are out of date: “I commonly hear DoE (department of energy) employees and contractors that their inability to stop a multi-million dollar turbine for an hour to upgrade or patch the OS running the SCADA software is an ongoing issue. … It’s frightening to think that some of these systems are still running on Windows XP.”

Like most things, the best way to figure out what’s vulnerable is to follow the money.

“One way to sort of get at this question is when you ask, ‘What have we done to save money in recent years?’” Cate said. “So things like, for example, putting electronic database controls on power systems on residential units. We want to save money. We want to do that to turn off my air conditioning when it’s expensive to run. Did we back it up? Probably not because we were so busy saving money, we didn’t bother backing it up. Anytime you find something that’s been moved to an electronic network to save money, you have a pretty good indicator it probably wasn’t done securely.”