The Aurora Generator Test carried out by Idaho National Laboratory in 2007 introduced much of the world to the idea that a cyber hack could cause damage and disrupt electricity distribution. While the test was real, the hack required a successful intrusion first and there were no real-world incidents that actually realized electricity disruption – until last month.
By now, most people in the information security community are aware of the hack on at least two Ukrainian power authorities in Ivano-Frankivsk region. As much as high-profile cybersecurity attacks ranging from Target to Anthem have raised concerns about broad-based disruption to daily life, the impact on consumers was abstract at the time. The impact for the corporations was immediate as they went into full incident response mode, but the majority of their customers’ didn’t feel an immediate tangible effect of their data being compromised.
Electricity distribution is different. The impact is immediate and tangible. When the Ukrainian power authorities went dark due to a well-orchestrated attack, at least 80,000 homes were impacted. The ESET blog reported that it may have been even greater with about 50% of the region’s 1.5 million were without power for 3-6 hours. Details are trickling out but the lesson is clear. Critical infrastructure has become more than a theoretical information security risk.
A Trend Line of Escalating Risk to Individuals
Information security is now part of the public’s consciousness. Hacks on Target and The Home Depot raised awareness about the fragility of personally identifiable financial information. The JP Morgan, Scottrade et al. hacks reinforced concerns about the security of financial data and escalated fear of identify theft. Office of Personnel Management (OPM) and Internal Revenue Service (IRS) hacks showed us that the government has a lot of data about citizens that can raise further risks. The Anthem and Excellus BlueCross BlueShield hacks showed that even personal health data is at risk for exploitation. It’s no wonder that some U.S. presidential candidates are now making cybersecurity a core policy talking point.
The Saudi Aramco and Sony hacks delivered great headlines and compelling storylines about the business risk of information security breaches. They were costly to the companies and no doubt impacted the careers of more than a few executives. However, none of these previous incidents rise to the level of disruption or potential devastation that a prolonged power outage can deliver since our supply chain is so critically tied to energy.
Consider the estimated $6 billion cost and 11 deaths attributed to the August 2003 power outage affecting 50 million people across eight Northeastern and Midwestern states. Power in some areas was restored in about six hours, but many other areas were without electricity for more than 24 hours. Privacy and financial risk become secondary concerns when the heat, air conditioning, refrigerators and medical equipment cannot operate. Now imagine if the 6-hour Ukrainian power outage turned into several days.
Mandiant’s Chris Sistrunk put it this way in a recent post in the SANS ICS blog, “The electric grid is unlike any other critical infrastructure. It is THE critical infrastructure, not just for the U.S., but for most every country. Electricity for most is not a luxury, but a necessity, especially for businesses, manufacturers, and at home.”
What it Means for Information Security Professionals
The escalation in potential and realized impact from breaches has led to more funding for information security capabilities and this trend is likely to escalate. However, with more awareness and more funding will come greater scrutiny. People outside the Infosec community now understand the potential impact and want both answers and assurances. Increasing pressure from management is likely to come in five areas with heightened expectations for:
- Reduced time to detect active breaches
- Reduced time from breach detection to confirmation and incident response
- Increased process consistency around vulnerability remediation for known risks
- Increased visibility into the current and historical risk posture
- Validated value derived from existing information security investments
I will share more thoughts on these topics in future posts. The key takeaway is not only are the stakes of information security breaches rising at the same time that threats are becoming more sophisticated and numerous, but you should also expect more non-technical executives and outside influencers to express “interest” in the work that we do. The profiles of Blue Teams are sure to increase and that will bring added scrutiny because the risks are becoming better understood.
By Chris Morgan