Hurricane Sandy’s recent havoc in Northeast USA highlighted the impact of key infrastructure outages such as power failures, disrupted water supply and mobile phone towers being taken down. Is there a lesson to be learned in taking a wider view of national security? Definitely, says John Kendall, Security Program Director for Unisys Asia Pacific. Natural disasters, from floods and bushfires through to earthquakes and hurricanes, constantly remind us that critical infrastructure can fall over.
But what if those vulnerabilities were intentionally targeted?
Traditionally, we are used to dealing with unintentional outages of these services, such as those caused by a natural disaster. However, critical infrastructure may also be viewed as a ‘soft target’ by those who wish to inflict major disruptions. And this is not a new threat: in 2003 the case against the first person to be found guilty of planning for a terrorist attack in Australia included plans to bomb part of the national electricity supply system.
Failure in one area of infrastructure can mean outages in others, creating a domino effect. For example, in March 2009, a power outage in Sydney city centre forced the closure of both the Sydney Harbour Tunnel and the Eastern Distributor toll roads, disrupting traffic during peak hour.
According to Alexis Kwasinski, an assistant professor of electrical engineering at the University of Texas, power outages were the biggest problem in disasters such as Hurricane Sandy because they have ripple effects on other utilities, particularly telecommunications. Street lights, mobile phone towers and curbside telecom cabinets are all dependant on grid power. This highlights the potential impact if such essential services were to be targeted by terrorism attacks, and underscores the need for government and commercial organisations to cooperate on the development and execution of holistic strategies to protect critical infrastructure.
Even more worrying, the increased dependence of critical infrastructure on IT systems, and the interconnectedness of those systems, means that critical infrastructure is increasingly vulnerable to malicious cyber attacks aimed at disrupting a whole city, state or nation.
In fact, the World Economic Forum’s Global Risk Report 2012 ranks cyber attacks as the fourth top global risk in terms of likelihood. The report notes that cyber attacks, a massive incident of data fraud or theft, or an incident of massive digital misinformation could all lead to critical systems failure and eventual global governance failure. It says that hyperconnectivity is a reality: with over five billion mobile phones coupled with internet connectivity and cloud-based applications, daily life is more vulnerable to cyber threats and digital disruptions.
The report highlights the vulnerabilities created by this hyperconnectivity: the critical infrastructure that underpins our daily lives increasingly depends on hyperconnected online systems. While significant resources have historically been needed to cause devastating consequences for geopolitical or corporate powers, it is increasingly possible for skilled individuals to do so remotely and anonymously through networked computer systems.
The report found that critical systems failure was rated as the ‘Centre of Gravity’ in the technological category of risks. Respondents considered the risk that a single vulnerability could trigger cascading failures of critical infrastructures and networks as having relatively low likelihood but high impact.
As a result, the potential impact of cyber attacks on critical infrastructure should no longer be seen as an IT issue impacting the utility provider, but rather recognised as a national security concern.
The US Homeland Security Secretary, Janet Napolitano, said that the ravages of Hurricane Sandy on the Northeast’s infrastructure gave an idea of what a cyber-attack on utilities could cause.
“If you think a control-system attack that takes down a utility even for a few hours is not serious, just look at what is happening now that Mother Nature has taken out those utilities,” she said at a cyber-security conference following the hurricane.
US Defense Secretary, Leon Panetta, points out that such risks could paralyse and shock the nation. He said, “Terrorist-technology experts could bring down the power and transportations systems, financial networks, and the government itself”. He even went as far as to warn that cyber attacks might even accompany a physical attack on the United States.
This is not a hypothetical issue, there are several examples of key utilities being targeted by cyber attacks.
Telvent Canada, a company whose software and services are used to remotely administer and monitor large sections of the energy industry, said that in September 2012 its internal firewall and security systems had been breached to steal files and install malicious software.
In another example, the US Department of Homeland Security issued an alert regarding attacks by an unknown group of hackers that had targeted the nation’s natural gas pipelines over a six-month period. It is reportedly unknown if the attacks were an attempt to gain intelligence about the US gas pipeline system or if the attacks were intended to damage the system itself.
According to research by McAfee, “In the Dark: Crucial Industries Confront Cyberattacks”, cyber attacks on critical utilities systems have nearly doubled since 2009. It found that 80 per cent of the water, gas and energy firms surveyed globally reported that hackers had compromised their security systems within the last year. It also found that nine out of ten Australian respondents believe their respective sectors were not at all or not very prepared for stealthy infiltration.
Which Critical Services Are We Most Reliant On?
New research by Unisys into the perceived impact of critical infrastructure outages on the Australian public has revealed a higher reliance on basic services such as electricity supply, water supply and banking financial systems, than on mobile phone networks, the internet or transport systems.
The overwhelming majority of more than 1,200 Australians surveyed by Unisys said a two-day power or water outage would have a major impact on their lives, nearly twice as many as those who said a mobile phone network or internet failure would have a similar impact. Respondents were more than three times more likely to say that a water or power outage would have a major impact on their lives than a public transport or capital city airport disruption.
Unlike an attack on one physical asset or organisation, an attack on critical infrastructure directly impacts many organisations and individuals, creating a ripple effect through the community, as well as businesses and
the Australian economy, potentially with long-term ramifications.
Following Hurricane Sandy, people queued to use payphones as they had either lost mobile phone coverage or had run out of battery power because there was nowhere to charge their phones in neighbourhoods that had lost commercial power. In today’s connected world, imagine the impact that such an outage would have on our ability to conduct business.
The poll follows the Unisys Security Index research conducted in 2011 that found widespread concern amongst the Australian public about the vulnerability of critical infrastructure to attacks, with four in ten Australians rating a broad range of national assets including the internet, large gatherings of people, vital physical infrastructure such as bridges, railways and power plants, and public transport as being extremely or very vulnerable to a malicious or terrorist attack. Almost half of the respondents (48 per cent) regarded airports and airplanes as extremely or very vulnerable.
Community awareness of the issues is a key factor in gaining community support for the security measures that are required to secure critical infrastructure.
Business And Economic Impact
The Unisys survey also measured the impact of outages on individual Australians, but it is logical to expect the ranking of outages having the most impact on business would vary according specific business sectors.
While outages can create annoying disruptions in our everyday lives, in the business world it can mean monetary loss which can ultimately impact the wider economy, not just in Australia but globally through our financial and trade networks.
For example, a study of the economic impact of a massive power blackout in the Northeastern United States and Canada on 14-15 August 2003, estimated that the total cost to customers was US$79 billion with the majority of the cost born by commercial (72 per cent – $57 billion) and industrial (26 per cent – $20 billion) customers.
Stephen Cartwright, CEO of the NSW Business Chamber predicts that industry sectors will place a higher priority on which services they believe are essential: “Electricity, of course, would be the first priority for any enterprise. However, following that, priorities would diverge depending on the business. A restaurant or cafe would likely prioritise water; retailers would prioritise banking; employers in the central business district would consider public transport disruptions a major problem; and financial services would likely consider internet and phone access to be high on the list.”
While financial services may be disrupted as a flow on effect from power or telecommunications outages, they may also be directly targeted. Where previously cyber-attacks may have been more focussed on obtaining customer data or committing financial fraud, now such attacks may be designed to disrupt the ability for customers, both personal and business, to conduct necessary transactions.
In September 2012 it was reported that a shadowy, but well organised, hacker group had disrupted the electronic banking operations of America’s largest financial institutions, highlighting the vulnerability to online terrorism. A group identifying itself as Izz ad-Din al-Qassam Cyber Fighters attacked the websites of Wells Fargo, US Bancorp and Bank of America. The strikes left customers temporarily unable to see their accounts, mortgages and other services.
When it comes to protecting critical infrastructure, the lines have blurred between cyber security and traditional physical security.
Also, it is clear that the individual critical service providers and the government have a joint responsibility to work together to protect the greater issue of national security. Whether self-regulated or mandated, because of the wide reaching ‘ripple effect’ we need to be sure that utilities, banks and telecommunications providers are taking appropriate steps to protect their service delivery from cyber-attack. Similarly, governments need to provide the support, guidance and incentives to ensure these organisations are able to protect their services from attack, as part of a national cyber security strategy.
A holistic view of security – threats, vulnerabilities, consequences and countermeasures – is required. There are numerous stakeholders who play a role in securing our critical infrastructure – including government, commercial organisations, State and Federal police and more. To better protect our critical infrastructures, these stakeholders must develop a culture of information sharing beyond what exists today. Fundamentally, we need to start by creating a broader definition of national security than what we have at