Our nations and critical infrastructures are becoming more and more vulnerable as our dependence on software and computer networks is increasing at an unprecedented rate. While disruptions from the cyber space is not new, the implications of a cyber-attack have grown exponentially. A threat that started as a ‘digital vandalism’ in the 90s and early 2000s, has transformed into a ‘digital weapon’ with the capacity to create a total destruction.
The recent SWIFT attack is the latest reminder that our society is still very susceptible to attacks from the cyber world. Among the transportation, communication and financial systems, nuclear power plants (NPPs) are becoming ‘wanted’ targets of this insidious threat, especially by terrorist or extremist organizations.
The past few years have seen a rise in the number of security breaches at NPPs as cyber-criminals, state-sponsored hackers and terrorists are increasing their online presence. U.S. President Obama recognized that cyber-attack is one of the greatest threats against the security of a nation because not only does it signify a collateral damage, but is also motivated by geo-political situations. Unfortunately, the threat of cyber-attacks is not here to stay, but even to magnify given our complete dependence on the information and communication technologies.
Cyberwarfare: ‘The New Achilles’ heel’
The real concern over cyber-attacks is the unknown scale of destruction it could cause once cyber meets the physical environment. This explains why the threat of a cyber-attack is referred as a potential ‘digital Pearl Harbor’ or a ‘cyber 9-11’ by Pentagon and the U.S. government. Besides large steam explosions, fire and release of radioactive materials, disruption to an industrial control system (ICTs) can result in nuclear meltdown, potentially killing thousands and crippling the society for years to come.
The Stuxnet attack against the Iranian nuclear enrichment facility, for instance, was far more dangerous than initially suspected. It was able to destroy about a fifth of Iran’s nuclear centrifuges. Stuxnet, the “world’s first digital weapon”, had the capacity to cause extremely serious consequences – not only a physical damage to computer equipment but also a potential cyber-war.
Regardless of how much money being invested in developing high-tech protection mechanisms, the increasing computerization, digitization and complexity of nuclear infrastructure continue to increase NNPs vulnerability against cyber-terrorism. The Cyber Security at Civil Nuclear Facilities: Understanding the Risks report by the Chatham House also highlighted this point. The report concluded that the recent switch to digital systems by the UK’s nuclear industry has left nuclear infrastructures unprotected and exposed. An extension to this problem is that most modern plants operate using a standardized industrial control systems (ICTs); once you have access to one, you can break into others of the same breed.
Threats from beyond
A principal threat to western security comes from the so called Islamic State (IS, Da’esh, ISIL), who suffered from a leak of its internal manual on Operational Security in Cyberwarfare a few months ago. The leaked document provided the West with intelligence on the extent of operational procedures for all levels of the organization. The Islamic State has already acknowledged that the Western world retains a technological superiority in the ongoing conflict. However it is using all available tools to mask its exploits into cyberspace, from using tools of deception to encryption hardware. This level of engagement and the clear motivations to do further harm, as we have experienced in Belgium, sets the stage for a prolonged ‘cyber-warfare’, a conflict that the Western world has yet to fully prepare itself for. In response to this threat, we must commit ourselves to expanding our methods of defense in cyber-security. We must maintain a strong focus on the security risks that are posed by the Islamic States online capabilities which may cause extensive harm to our critical infrastructure and paralyze our ability to act.
What is next?
Unfortunately, industrial communications mechanisms and protocols have not reached the speed of the internet and cyber age. Despite of recognizing the overall threat, we have proven ourselves unable to properly address the changing nature of cyber threats. The same Chatham House report found that management of these power plants lacked the required knowledge of cybersecurity. They have shown poor understanding of the implications of cyber on physical security. Back in 2003, a study (reported in Washington Post) had already confirmed that governments lacked the ability to protect themselves from cyber-attacks. It is worrisome to see that after more than a decade; we are still unable to put the necessary procedures in place.
There exists a gap between offensive capabilities and defensive measures when it comes to addressing cyber security. Nowadays, those with malicious intentions can easily hack into a network of nuclear power station with using Google search engine, or a flash drive, as was in the case with Stuxnet. In a recent article, Tate Nurkin, Senior Director of AD&S Thought Leadership, stated that on average it takes 200 days before an advanced threat is detected after compromising its target. This inability to identify, prevent and detect a cyber-attack has nothing but magnifying effects on the scale of an attack.
Establishing a complete security environment within the cyber landscape seems unlikely in near future as cyber threat actors are continuously developing innovative ways to exploit the existing vulnerabilities. However, building an enhanced resilience through coordinated development of capabilities and protocols, and information sharing is possible. For instance, a report published by the Government of Accountability Office showed that Pentagon does not have a clear chain of command for responding to cyber-attacks. Establishing more concise protocols and procedures, and platforms for effective communication can help un-blur the lines of command and control.
Another essential step that needs to be taken in building our resilience is developing strategic, operational and tactical intelligence. It is no longer enough to identify only the who, what and how of the threat at hand. We need to be prepared for the ‘what’s next’ and be ready for the implications of cyber-threats against our critical infrastructures.