Security in Washington and across the United States is tightening this week, following a new video reportedly released by Islamic State specifically threatening an attack on the American capital similar to last week’s brutal killings in Paris.
Police presence at government buildings, mass transit systems, and other key locations has been noticeably stepped up in the past several days, and Washington city leaders are urging citizens to keep their eyes open to report any suspicious behavior.
But while security officials work to harden potential targets against any terrorist threats, a growing number of cybersecurity analysts are warning some of the most critical U.S. assets are all but unprotected: namely the nation’s millions of digital operational networks that control everything from water treatment to manufacturing to the electric grid.
Even more ominously, there are new indications the fastest growing cyberthreat is coming from hackers based in the Middle East, including regions known to be controlled by IS, and that unless something is done, the United States may soon face what some are calling a “cyber Pearl Harbor.”
Old, Outdated, and Vulnerable
U.S. electronic infrastructure is, “Generally speaking, exceptionally vulnerable” according to Barak Perelman, co-founder and CEO of the cybersecurity firm Indegy.
A graduate of Israel’s Talpiot military program for outstanding scientists, Perelman spent a decade serving in the Israeli Defense Force on military cyber defense, and now helps industry and governments protect against large-scale industrial disasters brought on by cyberattack.
Perelman says nearly everything industrial, from oil production and manufacturing to water treatment and power generation, is controlled by small digital devices that monitor and adjust industrial control equipment. These operational networks, or “OTs” as Perelman calls them, are built by engineers and are fundamentally different than the IT computer networks built by programmers that power our computers and the Internet.
He says most OTs are very old.
“This equipment has been in place for the last few decades and was not updated or upgraded. It was designed before security was even thought of or talked about, so practices like authentication, logging in with passwords, doesn’t even exist in many OT networks,” Perelman told VOA.
FILE – A specialist works at the National Cybersecurity and Communications Integration Center in Arlington, Virginia, Sept. 9, 2014.
Sounding the alarm over OT vulnerability isn’t new. Speaking on cyberissues in 2012, then Secretary of Defense Leon Panetta told the Senate that “America faces the potential threat for another Pearl Harbor” and that “technologically, the capability to paralyze this country is there now.”
In 2014, NSA chief Adm. Michael Rogers said of a major cyberattack striking the United States that it’s only a matter of “when” we are going to see something dramatic.
The former head of U.S. Cyber Command, Gen. Keith Alexander, also warned of a “doomsday” scenario where U.S. transportation, manufacturing and the electric grid are paralyzed for weeks or months by cyber weapons, leaving tens of millions cold, hungry, and in the dark.
Perelman agrees it’s only a matter time before an adversary launches a potentially crippling strike on sensitive U.S. infrastructure. But he cautions investments aren’t being made to protect these systems. That’s because, in Perelman’s view, cybersecurity is heavily dominated by IT professionals who just don’t understand the more engineering-dominated OT world.
“We have to start now before something terrible happens,” Perelman warns. “Unfortunately we’re hearing from many facilities we’re talking to that they simply cannot get the budget or government support. It seems sometimes like everyone is just sitting and waiting for an attack before they do something, which is not the way to be.”
“Bad Actors” Attack the Grid
At a recent conference of industrial control systems engineers and cyber-specialists, Dewan Chowdhury of the cybersecurity firm MalCrawler presented findings of his recent experiment to measure just how vulnerable OT systems are. Chowdhury created something called a “honeypot,” a fake website designed to look like a modern electric utility, and monitored what happened.
What he found is that large nation-state attackers, likely China and Russia, routinely broke in and stole information from the fake site. But he reported hackers from the Middle East were actively trying to sabotage the system; even going as far as triggering what they thought to be accidents at nuclear facilities.
Joe Weiss was at that conference and says the results, while alarming, are not surprising.
“There are a lot of bad actors who are actively trying to attack these systems, and an awful lot of them are coming from the Middle East,” said Weiss, the managing partner at Applied Control Systems and longtime cyberanalyst of industrial control systems.
“Entities in the Middle East are actively trying to attack the control systems to cause real damage,” he said.
The U.S. national power grid is just one example, says Weiss. There are 3,200 operating U.S. power generators, each contributes power to one of three massive grids that link together to supply electricity to the entire country.
The interconnectedness of the grid, which allows for power to be delivered to wherever it’s needed, also means that failure in one spot can cascade across the grid, blanking out huge areas in seconds. Weiss says hacked OT systems could cause real physical damage, putting both infrastructure and lives at risk.
“The bottom line is industrial control systems are simply cyber vulnerable,” Weiss told VOA. “You’re talking about the entire industrial infrastructure. That’s electric, water, oil and gas, chemicals, manufacturing, transportation, nuclear plants, basically anything that uses systems to control a process. These systems aren’t secure, and they’re used in every industry.”
Weiss says he’s compiled a database of 750 incidents worldwide, including some in the United States, of control system cyberattacks. In 50 of those cases, the attacks resulted in the loss of life.
“Far and away, the vast majority of these attacks were never identified as cyber, which goes back to the fact that we don’t have cybersystem forensics or adequate control system cyber training,” he said. “This is happening and continuing to happen.”