Speaking on Fox News on January 13, cyber-security expert Morgan Wright of the Center for Digital Government is at risk for a cyber-attack on its electrical grid similar to the one that occurred on December 23 in Ukraine when at least 100,000 people in and the city of Ivano-Frankivsk were left without power for six hours. Ukraine immediately accused Russia of launching the covert assault on its national energy grid. Wright said that he understands that the cyber-attack took place when an emailed document was opened on a computer connected to the grid, unleashing a malware program that silently shut down power throughout the region affected. Power to telephones was also lost in the “BlackEnergy” attack, said Wright, making it impossible for customers to call in the outage.
According to reports released by the SANS Industrial Control Systems team and the Industrial Control Systems Cyber Emergency Response Team confirmed a cyber-attack as the culprit and dubbed it one of the very first significant and publicly reported cyberattacks on civil infrastructure.
Nuclear power plant control room
Similar malware, such as Stuxnet, was used to destroy equipment in Iran’s nuclear program, prompting some to theorize government sources for its origin. Responsibility for the attack has proven difficult. Even while the Ukrainian Security Service and media have blamed Russia, the Russian themselves have remained button-lipped.
BlackEnergy malware appears to have gained entry to Ukraine’s electric grid. It has been used in the past for denial of service (DDoS) attacks, cybercrime, information theft, global infection of industrial control systems. It has also been used on attacks focused on Ukraine and Poland – which border Russia and have long had poor relations. According to Phys.com, “BlackEnergy is seen as the calling card of the Sandworm hacking group, which has been linked to the Russian state.”
In other countries, such as the United States, governments have become more aware of the threat posed to national infrastructure included the electric grid, nuclear power plants, transportation networks, as well as the distribution of gas and water. Industrial controls in factories using robots are also under threat, as are devices used in the health industry such as heart and lung monitors in hospitals. These systems were designed and built in the pre-internet era and thus may not have built-in safeguards. The organizations and personnel in these systems may not be trained or prepared to adequately respond to dangerous cyber-attacks.
Phys.com warned, “To cloud the picture still further is the rapid progress towards an Internet of Things, where physical objects of all types are connected to, and controlled over, the internet. This will underpin the next generation of industrial systems, but will also be common throughout government, business and the home. If we do not learn the lessons of Ukraine and think deeply about the potential threats, there is a very real prospect of major economic and social damage. We must look hard at what is coming and prepare for the worst.”
Analyst Wright deplored in an opinion column the lack of focus of cybersecurity. He noted the hack of the Office of Personnel Management in 2015, which suffered the greatest breach of cyber-security ever. He wrote, “More than 21 million records containing highly sensitive personal information used to grant security clearances were compromised, and the technology was so old the major systems holding the sensitive files were not able to use encryption to protect the data.” Noting that the Muslim terror attacks in Paris and San Bernardino, California, were both accomplished with encrypted communications, Wright said that U.S. law enforcement has been frustrated by advanced encryption. Besides the OPM hack, the White House, the Internal Revenue Service and State Department have all been hacked.
He said, “Our critical infrastructure is aging so fast, the chances of a catastrophic failure or attack are probably equal. We need look no further than Germany for a recent example of the potential consequences from an attack.” Wright described a 2014 report by Germany’s Federal Office for Information Security that showed that attackers gained access to a steel mill belonging to ThyssenKrupp, disrupting critical control systems so that a blast furnace could not be properly shut down, resulting in massive damage.
Wright wrote also about the specific technique used by hostile hackers to control systems, "Spear phishing is the use of email created by bad actors that impersonate a known company or individual that a user trusts. The user is duped into taking an action that results in the compromise of the targeted system. When’s the last time you heard a candidate talk about the need for training, technology and vigilance against spear phishing attacks? Exactly."
Wright then noted that the only current presidential candidate with a cyber-security policy on his website is Jeb Bush.