Potential Impact of Cyber Attacks on Critical Infrastructure

Potential Impact of Cyber Attacks on Critical Infrastructure John S Kendall

Director of Public Sector and Security Programs

Unisys Asia-Pacific

© 2012 Unisys Corporation. All rights reserved. 2

Outline

What all the fuss about?

What are the real threats?

Who is responsible for taking what actions?

Cyber Attacks on Critical Infrastructure


What is “critical infrastructure”?

The Australian, State and Territory governments define critical infrastructure as:

“Those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security.”

Source: Australian Government Critical Infrastructure Resilience Strategy


What is “critical infrastructure” for business?

Physical facilities

IT facilities

Networks

Services

Assets

Health

Safety

Security

Economic well-being

Effective functioning

For which extended disruption or destruction

would seriously impact or jeopardise

of the business, employees, channel partners or customers



Physical Infrastructure

• Power production/distribution

• Refineries and critical manufacturing

• Water supplies

• Transportation systems

• Communication networks

Cyber Infrastructure

• Internet

• Critical information systems

• Online business/financial services

Physical Threats

• Armed attacks

• Bombs

• Sabotage

Cyber Threats

• Malware

• Denial of Service

• Data Breach



Physical Infrastructure

• Power production/distribution


• Water supplies



Cyber Infrastructure

• Internet

• Critical information systems

• Online business/financial services

Cyber-Physical Infrastructure

• Power production / distribution


• Water Supplies



• Cars

• Airplanes

• Medical devices / systems

Physical Threats

• Armed attacks

• Bombs

• Sabotage

Cyber Threats

• Malware

• Denial of Service

• Data Breach


Impact of Critical Infrastructure Outages

Public Concerns

Source: Unisys Security Index Research 2012

Infrastructure Major impact from

2-day outage

Electricity supply in your city/region 84%

Water supply in your city/region 80%

Banking systems such as ATM & EFTPOS 60%

Mobile phone network 46%

Internet 46%

Public transport network 27%

Major thoroughfare such as Sydney Harbour Bridge 20%

Capital city airport 17%



Public Concerns

Government Concerns

– National security

– National economy



Public Concerns

Government Concerns

Business Concerns

– Business Operations Impact

– Financial Impact

– Supply Chain Impact

– Business Reputation Impact



Public Concerns

Government Concerns

Business Concerns

Cascade Effect

– Interconnectedness of systems creates risk of cascade effect. For example…

Extended power failure

Gas and oil pipeline outage

Petrol supply shortfall

Transportation / logistics shutdown

Exhaust just-in-time inventories for hospitals, manufacturers…


What are the threats to your infrastructure?

• Traditional Physical Threats

– Destruction / Damage / Disruption

– Natural disaster / Accidental / Deliberate






• Traditional Cyber Threats

– Accidental breaches

– External hacks

– Denial of Service

– Virus / worm infiltration






• Traditional Cyber Threats

– Accidental breaches

– External hacks

– Denial of Service

– Virus / worm infiltration

• Cyber-Physical Threats

– All of the above

– Often more susceptible to physical and cyber attacks than purely physical or purely cyber infrastructures


What makes Cyber-Physical systems so vulnerable?

• Tempting Target:

– Fragility of cyber-physical systems

– Ability to “strike from afar”

– Low “cost of entry”

• Inadequate security practices

– “Poor cousin” to both physical and cyber specialists

– Careless inattention to the basics (authentication practices)

– Lack of user security training

• Intentional interconnectedness Unintended vulnerabilities

– Internet access for remote support/maintenance can be exploited by hackers

– Integration of systems across facilities, companies, locations – often using insecure networking protocols (e.g., MODBUS)

• Long system lifespans without modernising security mechanisms:

– Lack of upgrades may be due to limited memory / processor capability

– Original system supplier may no longer exist – so no ongoing support

– Need for continuous operations prevents system changes or upgrades


Evidence to support this fear

0

50

100

150

200

250

300

350

400

20102011

20122013*

Reported Attacks on US Critical Infrastructure

Energy 54%

Critical Mfg 16% Transportation

5%

Communications 5%

InfoTech 4%

Water 4%

Govt Facilities 4%

Nuclear 3%

Commercial Facilities

3%

Postal/Shipping 1%

Public Health 1%

Source: US Dept of Homeland Security ICS-CERT

* Projection based on

6 months data

US Critical Infrastructure Targets


Evidence to support this fear: “Honeypot” test

“Honeypot” emulates several types of ICS/SCADA devices and mimics those that are commonly internet facing – with traditional vulnerabilities found across similar systems.

First attack occurred 18 hours after the honeypot was activated.

And over the next 28 days, attacks originated from the following countries

Source: Trend Micro Incorporated Research Paper “Who’s Really Attacking your ICS Equipment”, Author Kyle Wilhoit

China, 35%

US, 19%

Laos, 12% UK, 8%

Russia, 6%

Brazil, 4%

Netherlands, 2%

Japan, 2%

Poland, 2%

Vietman, 2%

Palestinian Territory, 2%

Chile, 2%

Croatia, 2%

North Korea, 2%


Recent cyber attacks on Critical Infrastructure

Stuxnet Malware (2010-2012)

• Sophisticated attack on nuclear manufacturing facilities in Iran

• US/Israel malware exploits vulnerabilities in Microsoft Windows

Power Plant (2012)

• Plant shut down for three days after technician unknowingly inserts virus infected USB disk

• US Dept of Homeland Security declines to share additional information

Water Supply (2011)

• Critical pump damaged by Russian hackers

• Cycled pump on/off until it burned out

Rail Network (2011)

• Hackers manipulated railway company computer systems

• Disrupted rail service – could have been much worse

Chemical Plant (2011)

• PoisonIvy malware infected systems at more than 48 chemical and defense companies

• Source of attack traced back to China


Who is responsible for fixing this?

• Government?

– Regulations / Legislations / Standards

– Information Sharing

– Research

• Suppliers of CPS systems?

– Address/fix security vulnerabilities

– Best practices for implementation

– Design enhanced security into new releases

• Organisations that implement and use CPS!!

– Primary responsibility!


What actions does my company need to take?

• Assume someone is actively attempting to infiltrate your systems (both information systems and cyber-physical systems)

• Identify vulnerabilities with security assessments of all systems

– Internet connections / VPN access

– Aging operating systems and applications

– “Auto run” settings for USB devices

– Poorly configured firewalls

– Inadequate access controls

• Include security as key design feature in new/updated systems

• Don’t work in isolation

– Government-Business Partnership: Trusted Information Sharing Network (TISN) and Critical Infrastructure Advisory Council (CIAG)

– Industry Segment User Groups

• Education/training

– Awareness of the threat and individual responsibilities


Thank you and Good Luck!

John S Kendall Public Sector and Security Program Director Asia-Pacific Region

Unisys Unisys Australia Pty Limited Office: 1300 088 833 Equinox 2, Level 1 Direct: +61 2 6274 3571 70 Kent Street Mobile: +61 424 152 034 Deakin ACT 2600 Australia Fax: +61 2 6274 3533 [email protected]

Technology

Potential Impact of Cyber Attacks on Critical Infrastructure