A worldwide surge of sophisticated cyberattacks on industrial control centers has alarmed business, governments and cybersecurity experts alike. As long as it remains difficult to identify the sources of cyberattacks, while offensive cyber tools become more commonplace and easily available to rogue nations, jihadists and cyber-criminals around the world, one can expect such assaults on information and control systems (ICS) to increase. Disruptive attacks on critical infrastructures have already crossed the “red lines” of past forecasts. Even so, we may still be underestimating the scope of future cybersecurity threats.
The WannaCry ransomware attack in May 2017 encrypted data stored on hard drives worldwide, demanding from victims a payment equivalent to $300 in bitcoin to receive decryption keys. It was the latest wake-up call for the highly industrialized nations, especially the United States and Europe, which find themselves insufficiently prepared to fend off major cyberattacks. By exposing security vulnerabilities in even the largest organizations and companies, WannaCry highlighted how interconnected the global digital economy has become, with shared critical infrastructures (CIs) constituting the backbone of commerce, wealth and security in many countries.
The malicious software has been called one of the most virulent and wide-ranging cyberattacks to date, affecting hundreds of thousands of computers in more than 150 countries. Its high-visibility impact on the United Kingdom’s National Health Service (NHS), knocking out a third of its IT network, demonstrated the potentially devastating effect on critical infrastructures such as hospitals. WannaCry infected some of the world’s biggest corporations, including the Spanish mobile phone giant Telefonica, the German national railway Deutsche Bahn, the French carmaker Renault, and the U.S.-based logistics giant FedEx Corp. It also spread to Russia, forcing the Interior Ministry to take more than 1,000 of its computers offline. In China, almost 30,000 institutions were affected.
One striking feature of the WannaCry cyberattack was its indiscriminate nature. No specific institution was targeted, yet British hospitals were forced to delay or cancel surgeries and treatment of patients. Lack of preparedness was also evident. Cybersecurity experts called the NHS’s information systems a security nightmare that would require enormous investments to bring up to standard.
Coming on the heels of the release of powerful hacking tools allegedly stolen from the U.S. National Security Agency (NSA), the Wannacry outbreak showed the extent to which governments and companies are being targeted by constant and increasingly sophisticated cyberattacks from rival nation-states and their intelligence services, terrorist groups, hackers and cyber criminals. Recent assessments of the scale of this threat are given below.
Estimating the Threat:
- Economic losses from cybercrime exceed global profits from the drug trade – Europol
- About 70% of businesses suffering attacks from malicious software (malware) paid ransom, often in the anonymous digital currency bitcoin – IBM research
- Cyberattacks on information and control systems (ICS) rose 110% in 2016 – IBM research
- Cybercrime in Germany nearly doubled in 2016 from the previous year to 82,000 cases, resulting in damages of over 51 million euros. (These figures are based on reported attacks and may be only the tip of the iceberg.) – German Federal Crime Office
- More than 67% of institutions do not realize they have been under cyberattack until told by a third party – FireEye
- U.S. institutions and companies take an average 99 days to realize they have been attacked; in Europe, it can take up to 200 days – FireEye
- One-third of 1,552 known ICS vulnerabilities had no patch at the time of disclosure – FireEye
- Between 17% and 93% of software from major vendors has unpatched vulnerabilities – Kaspersky
- A survey of 70 professional hackers revealed that 88% believe they can break through cybersecurity defenses and into targeted systems within 12 hours – Nuix
- U.S. businesses will spend $101.6bn annually to protect themselves against hacking by 2020 (vs $73.7bn in 2016) – International Data Corp.
- Worldwide costs from cybercrime will double to $6tn in 2021 from $3tn in 2015. These costs include damage and destruction of data, lost productivity, theft of intellectual property and personal data, fraud, embezzlement, business disruption, deletion and restoration of hacked systems, and reputational harm – Cybersecurity Ventures
- Credit card fraud is forecast to rise to $20bn in 2020 from $4bn in 2016 – CNBC
- The global cyber insurance market may generate $14bn in premiums by 2022, posting an annual growth rate of nearly 28% – Allied Market Research
Most cyberattacks go unreported by companies, especially in the financial sector, because they fear reputational damage and loss of customers to competitors. Many firms and operators of critical infrastructure see no alternative to paying ransom, as the loss of up-to-the-minute data is too disruptive and could even lead to deaths (e.g. patient monitoring and surgeries in hospitals).
The positive aspect of spreading cyberattacks is that they have increased international awareness and cooperation in tackling the problem. Western countries are actively sharing expertise and information, with tangible results.
In 2016, for example, investigators from more than 40 countries, including the U.S., collaborated to destroy the global Avalanche phishing network, which had operated since at least 2009. Phishing is an attempt to obtain sensitive information such as usernames, passwords, or credit card details through electronic communications disguised to appear as coming from a trustworthy source. Avalanche consisted of a distributed, cloud-hosting network of as many as 600 servers and 500,000 infected computers that was rented by cyber criminals to launch worldwide phishing and malware attacks.
Despite such progress, however, preparedness and defensive capabilities have not kept up with the offensive prowess of transnational criminal organizations and government-supported hacking groups.
Withhold or Disclose
The WannaCry malicious code also highlighted the competing security interests between private actors and government institutions – especially law enforcement and security agencies, which themselves develop and use offensive cyber weaponry. Flaws and loopholes in widely available commercial software are used by military and security organizations to fight terrorism and international crime, and for intelligence and counterintelligence operations.
In the case of WannaCry, the outbreak was only made possible because a sophisticated cyberspying tool – EternalBlue, which exploits a vulnerability in file-sharing protocols in Microsoft Windows software – was allegedly stolen last year from the NSA, the agency that controls U.S. signals intelligence. The likely culprit was a cybercrime group known as Shadow Brokers, which is suspected of being a proxy of the Russian intelligence services. EternalBlue was then sold on for weaponization to other cyber actors in the “darknet” – the online marketplace of the global underworld.
The NSA tool allows hackers to move through various networks and between organizations by setting up legitimate enterprise file-sharing protocols. Cyber experts had warned for years about such loopholes, which U.S. intelligence agencies had either created for themselves or used their specialized knowledge to exploit. Microsoft was bitterly critical about the U.S. government’s withholding of information about these vulnerabilities, which allowed them to “stockpile” cyber weapons. The company’s legal counsel Brad Smith said this practice was the equivalent of letting criminals steal Tomahawk cruise missiles. “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” he said in a May 14 blog post.
As Europe is developing its own offensive cyber capabilities, its intelligence services and law enforcement agencies need to carefully balance whether to withhold or disclose computer software vulnerabilities. This cost-benefit calculus, which the professional jargon refers to as the “Vulnerability Equities Process” (VEP), would determine whether security flaws unknown to network and software vendors (zero-day vulnerabilities) should be disclosed or exploited to fight cyber crime and thwart attacks. While all Western countries officially promote a policy of disclosure, in practice they have often favored retaining backdoors and other mechanisms to access encrypted communications.
The new wave in information technology is the “Internet of Things” (IoT). It is hoped that these networks of smart-sensor-enabled devices that communicate and cooperate with each other via the internet will create new businesses, manage “smart cities,” and even dispense remote medical services. McKinsey has estimated IoT’s annual economic impact at from $3.9 trillion to $11.1 trillion worldwide by 2025.
As these internet-connected devices enter widespread use, criminals might exploit their vulnerabilities for theft and data falsification, or to create zombie computer networks (“botnets”) for spreading malware or crippling websites by bombarding them with information requests.
IoT security is challenging on a number of fronts. First, there is no overarching industry standard, which hinders the development of end-to-end security solutions. Instead, we have incompatible technologies and multiple vulnerabilities. Second, the mass production of IoT devices introduces a multitude of new attack vectors. Since many of these products have very short replacement cycles, it becomes even more difficult to design tailored security technologies.
The economics of the personal electronics and home appliance business also plays a role. While both customers and producers view safety and security as important, IoT devices are perceived above all as mass commodities that compete on price. Cost-cutting works against the need to design systems that prevent breaches of private or commercial data. So far, customers have mostly been unwilling to pay any premium – as seen with semiconductor companies, which are struggling to recover their security investments. Producers must still work to convince end-users that security is worth paying for.
Finally, companies face special problems with innovative IoT applications for commercial uses (“Industry 4.0”), especially because many businesses and manufacturers rely on outdated computer systems and software. Connecting older legacy systems with the internet often undermines end-to-end security and exposes previously stable manufacturing processes to disruption.
For governments, which must defend critical infrastructure and industry from sophisticated cyberattacks and espionage, state-supported Advanced Persistent Threats (APTs) are the most pressing security challenge. APTs are generally associated with foreign intelligence agencies or affiliated non-state hacker groups.
China, Russia, Iran, North Korea and several other countries have been accused by the Western intelligence community of creating a symbiotic and mutually beneficial relationship with criminal groups. These relationships are built on a simple commercial logic. Since the security and law enforcement agencies in these countries can seldom match private sector salaries for cyber experts, they must offer other incentives. These include legal immunity and access to data and tools for cybercrime activities.
Russia has used cyberattacks for years against its internal critics, stealing and manipulating their emails or falsifying electronic documents. The techniques honed in those operations have then been employed in more sophisticated and innovative cyberattacks on critical infrastructure and ICSs in the U.S. and Europe. Among the best-known targets of these massive and well-organized operations were the U.S. (2016) and French (2017) presidential election campaigns, which were hacked by the Fancy Bear or APT28 group, linked with Russia’s GRU military intelligence agency.
These activities are part of a wider, undeclared campaign of asymmetric hybrid warfare that the Kremlin is suspected of waging against Western democracies. This effort includes fake news and other forms of disinformation designed to sow doubt and uncertainty while shaping new narratives for public opinion. Germany’s domestic intelligence agency (BfV) and its Federal Office for Information Security (BSI) have accused Russia of stealing large amounts of personal and political data in cyberattacks on deputies of the German Bundestag (the lower house of parliament) during a cyberattack in May 2015. The BfV has claimed to have “growing evidence of attempts to influence the federal election” in the fall of 2017 and has called for legal changes allowing the destruction of dangerous servers used by hackers.
Case Study: Ukraine’s Power Grid
Since all critical infrastructure that is directly or indirectly connected with the internet relies on a stable supply of electricity, national power grids are considered the Achilles heel of highly industrialized societies. Successful cyberattacks on these networks would instantly destabilize these countries’ economies and political systems.
A nationwide electricity blackout has been considered as one of the most dangerous consequences of a cyberattack. Experts have warned for years that the automated industrial systems that control CIs, such as power plants and electricity grids, are extremely vulnerable. Hypothetical scenarios of a “Cyber Pearl Harbor” found real-life confirmation when Ukraine’s power grid was hit by a well-coordinated, external cyberattack in December 2015. It was the world’s first known digital strike on this scale and the cyber intrusion caused widespread power outages that lasted for up to six hours.
Forensic investigations by Ukrainian and Western intelligence agencies, as well as independent information and communication technology experts, concluded that the attacker was a Russian hacker group called “Sandworm,” which had previously infected power companies in the U.S and Europe. The Trojan worm BlackEnergy was used to gain remote access to the supervisory control and data acquisition (SCADA) systems of the target companies. Once the breach was made, KillDisk malware destroyed files, rendering the SCADA system inoperable and making recovery more difficult.
Simultaneously, the call centers of the Ukrainian power companies were subjected to a coordinated cyberattack. This blocked customer reports of power outages, thus prolonging the blackout. The end result was the disruption of power supplies to about 230,000 people, leaving 103 communities completely blacked out and another 186 partially deprived of electricity.
The 2015 attack on Ukraine’s power grid was part of a long-running Russian campaign that started in May 2014, when a reconnaissance probe used spearphishing emails targeted against one Ukrainian utility. The same company was successfully attacked in December 2015. Similar cyberattacks were launched against all six of Ukraine’s state railway operators, television broadcasters, power distributors in Western Ukraine, the state archives and mining companies. The attacks have continued in subsequent years.
In contrast to highly industrialized Western countries, Ukraine was able to restore services within three to six hours by switching to manual code. More advanced Western power systems could be less vulnerable to hacking, but also more difficult to restore to service, since they are far more dependent on automated control systems. For these operators, switching to manual code is much more complicated or may even prove impossible.
The Ukrainian experience also showed that remote access functionality and modems in particular are insecure and should be limited as much as possible. Operators in the Netherlands, for instance, have opted for smart metering without the remote switch-off option. With the introduction of smart grids and smart meters in households and industry, future power supplies will be much more exposed to cyber threats, in part because they create millions of new entry points to the grid. Neither states nor societies are truly prepared for the cascading impacts of a cyberattack on these systems, or for the repair work needed to restore power fast enough to avoid catastrophic damage.
The WannaCry infection has highlighted once again the need for stronger regulations to force companies and the public and private owners of critical infrastructure to disclose that they have been victimized by cyberattacks. The security risks to information and control systems are not limited to their specific vulnerabilities, but are systemic in nature. The introduction of new technologies might only increase society’s vulnerability to cyberattacks.
The ultimate financial cost of WannaCry was not so bad, but next time the world might not be so lucky. Within the next two or three years, another 2 or 3 billion people will come online. This unprecedented expansion increases the scope for massive and synchronized cyberattacks, which could simultaneously target power companies, health-care networks, chemical plants, aviation systems, financial services, telecoms and even nuclear facilities.
According to recent studies, bringing down critical infrastructure nationwide for a period of hours, days, or even weeks is no longer considered a “Black Swan” event. It has now become the baseline scenario. The only question is when, and where.
Frank Umbach is Research Director of the European Centre for Energy and Resource Security (EUCERS) at King‘s College London and Associate Senior Fellow at the Centre for European Security Strategies (CESS).