The news cycle’s focus on whether foreign powers hijacked the U.S. election obscures a potentially greater threat to the country: can a foreign power launch a cyber attack that could shut down the domestic electrical power grid or some other infrastructure that is essential to the nation’s daily well-being?
The feasibility of a cyber attack on a power grid is no longer limited to the realm of fiction. In late 2015, the Ukraine’s power grid experienced a cyber attack that shut down that country’s electrical service for six hours. A subsequent analysis of this attack concluded that it had been planned for months and was implemented by a highly skilled group of hacking operatives. A broader global survey of power and electrical companies also revealed that more than 40 percent of those companies had no facilities to detect an attack.
Power grids are not the only infrastructure targets in the hacking community’s cross-hairs. In late 2016, San Francisco’s public transit system was hit by a ransomware attack that gave commuters free rides pending payment of a bitcoin ransom demanded by the attackers. Verizon reported that earlier in 2016, hackers accessed the control system at an unidentified water treatment plant and briefly took control over the system’s water flow and chemical treatment functions. Another report published in 2016 suggested that the nation’s 911 emergency response system was extremely vulnerable to a telephone denial of service attack, in which thousands of phones could be hijacked to flood emergency centres with calls.
Understanding the hackers’ motivation is one step toward defending against infrastructure cyber attacks. That motivation typically reduces to money, ideology, or vindictiveness. State-sponsored hacking of another country’s infrastructure is more likely to be driven by ideology than is a cyberattack on a private business’s network and computing systems. Nonetheless, to the extent that hackers perceive an infrastructure target to be a potential source for a large monetary payment, a financial motivation for an infrastructure attack cannot be ruled out.
Understanding infrastructure vulnerabilities are the second step. Electricity and other power systems are generally connected to the supervisory control and data acquisition and industrial control system (SCADA/ICS) solutions that collect and analyze data and that allow technicians to control infrastructure grid equipment. Devices on an SCADA/ICS are configured differently than conventional business servers, but those differences expose them to unique cyber risks that businesses might not face. For example, their authentication and encryption routines may be limited, and their password protection may be weak. Addressing these vulnerabilities will add another layer of cyber protection to infrastructure systems.
A successful cyber attack that shuts down any part of the nation’s infrastructure can have cascading consequences on private businesses. Those businesses themselves may become cyber attack targets through an infrastructure attack, in which event they could suffer substantial direct and third-party financial liabilities from the attack. A cyber attack that assumed control over a critical piece of manufacturing equipment, for example, can cripple or permanently disable that equipment. If the attack leads to theft of private customer information, a business might face regulatory fines and lawsuits over that theft.
The best cyber security solutions against infrastructure attacks will include robust technology defences against the attacks and cyber insurance to compensate a business and its customer from financial losses stemming from the attacks. Private businesses will have limited control over the recovery of any infrastructure that is affected by a cyberattack but will have better control over their own exposure and prospective liabilities. Cybersecurity protocol that includes having a cyber insurance plan is an optimum tool to help reimburse a business for its losses that flow from a cyber attack. Hackers will stop at nothing to get to your data, protect it.