The CIA announced today that there had been several successful hacks into city power grids by criminals trying to extort money out of the city. When the city(ies) refused, the hackers successfully caused multiple cities to go dark.
Upon hearing this, I was amazed about two things. The first was that the CIA would release this kind of information. Apparently the CIA carefully weighed their options and decided to declassify this information, according to CIA analyst Tom Donahue (from the Washington Post article). I can only guess why, but it probably has a great deal to do with lighting a fire under intransigent utilities and companies who don’t want to spend the money to upgrade their cybersecurity.
The second thing that amazed me was that it hasn’t happened more often, and that the U.S. thus far appears to be unaffected.
According to a related San Jose Mercury News article, cyberextortion like what’s been discussed here commonly targets softer targets than the power company – banks, e-commerce vendors, and gambling outlets. And targeted companies tend to pay up in order to avoid being shut down and to keep their users from finding out that their security has been compromised. But with utilities rapidly moving to wireless-controlled water and power meters and Internet-equipped remote configuration systems, these kinds of threats will become more common.
In fact, I’ve written about how easy it is for the government to tap your voice and data communications because of the remote-configuration functionality of today’s telephony network. If a hacker were able to get access to the passwords and IP addresses for key network addresses and switches, the hacker could tap your voice and data communications almost as easily. And the same fundamental vulnerability exists in every remotely-configurable system run by any utility, be they water pumps or electricity transmission lines. This is an especially unpleasant problem when you consider that CIA analyst Tom Donahue indicated that the hacks were accomplished with inside help – no amount of cybersecurity can ever make a system secure from having a corrupted sysadmin screw with it. There is no such thing as perfect security.
The U.S. is truly unprepared for cyberterrorism. We’ve been lucky until now, although just how much is luck and how much is corporate victims of cybercrime paying off extortionists is something we may never know. I’ll leave you with this quote from the SJMN article:
During the past 10 years, electric utilities, pipelines, railroads and oil companies have used remotely controlled and monitored valves, switches and other mechanisms. This has resulted in substantial savings in man power and other costs….
But to do that, the companies have installed wireless Internet connections to link the devices to central offices….
In addition, within the companies’ main offices, control equipment can be accessed from more computers than in the past.
The electric utility industry has also been adding software that allows more coordination among different parts of the electricity grid and will ultimately allow utilities and individuals to control devices remotely.
Categories: Energy, Infrastructure, Internet/Telecom/Social Media, War/Security
Of course, people like Win Treese have been screaming about this and other Information Warfare threats for over a decade. So when it happens (especially in light of this revelation) we’ll have no Katrina-esque “we didn’t know it could happen” bullshit.
I wonder if the CIA has been pushing for stronger measures and they’ve been stonewalled by other entities. That would explain why they released this info.
According to the San Jose Mercury News article (which, though it says its from the WaPo, is twice as long as the WaPo “original” – methinks the WaPo editors snipped too much), security experts think that the CIA did this to light a fire under companies who aren’t moving fast enough to secure their networks.
It wouldn’t surprise me to see the CIA take this route–they’ve been so marginalized in the Bush regime, thanks to their fetish for militarizing intelligence. We’ve seen how well that worked out.
Same with nuclear terrorism. There’s no fail-safe defense except not having an adversarial relationship with so much of the world.
The only way to stop terrorism in general, especially if the terrorist is willing to die to kill you, is to convince the terrorist that they don’t want to die. And fundamentally that’s a cultural and social and economic issue, not a “security” issue.
It’s precisely that type of soft power that the current President and his GOP are terrible at fostering.
Pharming, or redirecting DNS IP addresses from legit sites to bogus phishing sites, has just hit individual people and ISPs instead of the actual DNS processors – in Mexico. But if it works there, it won’t be long before it hits the rest of the world too.
News from CNet
This is not a good thing.