"The oldest and strongest emotion of mankind is fear, and the oldest and strongest kind of fear is fear of the unknown."
What is the real-world, material threat of a cybersecurity hack?
Corey Williams: For example, the Springfield, Illinois, water utility hack from Russia in 2011 destroyed a primary water pump. The hackers stole the usernames and passwords from a third-party vendor that maintained the control software for its customers, and then used those credentials to gain remote access to the utility's network and reconfigure the pump for failure.We have all read stories of hackers remotely taking control of vehicles and interfering with the operations of the vehicle. While only a proof of concept, it constitutes a real-world threat. There is nothing inherent to being in the west that provides extra protection or exemption from the threats of cyber attackers. On the contrary, the west has become a primary target.
Domingo Guerra: Major systems from the internet (upon which much of commerce, defense, and communications are reliant) to the power grid, the water supply, and food distribution can all be disrupted by cyber attacks. In the west this could affect our ports, major industries like tech, manufacturing, and agriculture, and make military installations vulnerable.
Could hackers take down the power grid or tamper with water supplies?
Chris Petersen: Much of the U.S. critical infrastructure is woefully unprepared to defend itself from a highly motivated and capable threat actor. What concerns me most is an attack against our energy grid. A prolonged outage of days would be a damaging blow to our economy and likely result in loss of life. An outage of weeks could unravel our society and be the apocalyptic event "preppers" are preparing for. For more than a decade, we've known that targeted malware can damage industrial control systems (ICS), which are the same types of systems that make up our energy grid. While energy companies and utilities have improved their posture to comply with regulations like NERC / CIP, I think this will be "too little too late" if they're targeted by a highly skilled threat actor with the most sophisticated cyber weapons.
Ray Rothrock: Absolutely, you don't have to blow up a substation to knock out a power grid anymore. It can be done with keystrokes from halfway around the world. The best defense is segmentation - separating networks from each other. Unfortunately, all the momentum these days is in the opposite direction - connecting networks and adding more things to the internet, whether they are ready for a scary, hostile environment or not. We need to plan for resilience - breaks are inevitable. When we build a chemical refinery or toxic waste pipeline, we don't just build it sensibly up front and hope for the best - we plan for failure, we design in emergency procedures and recovery plans. Much of the internet has not yet gotten around to thinking about resilience this way and can therefore fail dramatically if pushed hard.
Corey Williams: Yes. Utilities in general often have aging, and even antiquated, infrastructure that was not designed to withstand the sophistication and ubiquity of hacking tools available today. Utilities need to add a second layer of identity assurance for access to any command and control software. This simple and inexpensive effort would ensure the availability and safety of our most precious resources.
Domingo Guerra: Unfortunately, yes. As an example, Ted Koppel's book Lights Out warns of just how vulnerable these systems are.
