The CIA announced today that there had been several successful hacks into city power grids by criminals trying to extort money out of the city. When the city(ies) refused, the hackers successfully caused multiple cities to go dark.
Upon hearing this, I was amazed about two things. The first was that the CIA would release this kind of information. Apparently the CIA carefully weighed their options and decided to declassify this information, according to CIA analyst Tom Donahue (from the Washington Post article). I can only guess why, but it probably has a great deal to do with lighting a fire under intransigent utilities and companies who don’t want to spend the money to upgrade their cybersecurity.
The second thing that amazed me was that it hasn’t happened more often, and that the U.S. thus far appears to be unaffected.
According to a related San Jose Mercury News article, cyberextortion like what’s been discussed here commonly targets softer targets than the power company – banks, e-commerce vendors, and gambling outlets. And targeted companies tend to pay up in order to avoid being shut down and to keep their users from finding out that their security has been compromised. But with utilities rapidly moving to wireless-controlled water and power meters and Internet-equipped remote configuration systems, these kinds of threats will become more common.
In fact, I’ve written about how easy it is for the government to tap your voice and data communications because of the remote-configuration functionality of today’s telephony network. If a hacker were able to get access to the passwords and IP addresses for key network addresses and switches, the hacker could tap your voice and data communications almost as easily. And the same fundamental vulnerability exists in every remotely-configurable system run by any utility, be they water pumps or electricity transmission lines. This is an especially unpleasant problem when you consider that CIA analyst Tom Donahue indicated that the hacks were accomplished with inside help – no amount of cybersecurity can ever make a system secure from having a corrupted sysadmin screw with it. There is no such thing as perfect security.
The U.S. is truly unprepared for cyberterrorism. We’ve been lucky until now, although just how much is luck and how much is corporate victims of cybercrime paying off extortionists is something we may never know. I’ll leave you with this quote from the SJMN article:
During the past 10 years, electric utilities, pipelines, railroads and oil companies have used remotely controlled and monitored valves, switches and other mechanisms. This has resulted in substantial savings in man power and other costs….
But to do that, the companies have installed wireless Internet connections to link the devices to central offices….
In addition, within the companies’ main offices, control equipment can be accessed from more computers than in the past.
The electric utility industry has also been adding software that allows more coordination among different parts of the electricity grid and will ultimately allow utilities and individuals to control devices remotely.