In the movie Die Hard 4, villain Thomas Gabriel used hackers to gain control of transport grids and the stock market and later plunged much of the US and Canadian eastern seaboard into darkness after taking control of the gas distribution system and redirecting all of the gas toward a utility superstation in West Virginia, causing it to explode.
Fortunately, the renowned John McClane was on the job and, together with the computer hacker Matt Farrell, was able to destroy Gabriel and his men – rescuing McClane’s hostage daughter in the process.
When cyber-attacks on critical infrastructure happen in real life, however, we may not have an action hero on hand to save us. Moreover, threats of such attacks are real. During the Russia Ukrainian conflict in 2015, for example, a targeted campaign by Russian hackers took down around 60 Ukrainian power stations and cut power to around 230,000 people.
In another incident, the Stuxnet computer worm thought to have been constructed as a joint American-Israeli cyberweapon caused severe damage to nuclear facilities in Iran. And of course, there was the WannaCry ransomware which impacted around 45,000 users across 74 countries worldwide including hospitals within the United Kingdom and universities within China.
Thus far, Australia has been spared major attacks. Nevertheless, one incident did occur on the Sunshine Coast back in 2000, when one million litres of untreated sewerage was released into a stormwater drain from where in flowed into waterways over a three-month period due to cyber security breaches at Maroochy Water Services. Whilst initially thought to have been a problem with a new supervisory control and data acquisition (SCADA) system, it was later discovered that the problems were in fact a result of hacking activity perpetrated by contractor Vitek Boden, who was disgruntled after failing to secure full-time employment with the Maroochy Shire Council.
The bottom line is that Australia does face some risk from malicious cyber activity which could interfere with assets in areas such as power, water, telecommunications, transport and defence. Attackers could range from teens wanting to create mischief though to criminals, terrorists or rogue states pursuing activities such as extortion, disabling or interfering with critical facilities or even using those assets against us. Concern about network-connected driverless cars or drones being remotely taken over and used for malicious activity is growing.
Policy makers are acting. A 65-page National Cyber Security Strategy released by the government last year involved 29 action points to promote ‘best practice’ cyber security strategies, address cyber security skills shortages and lead a national cyber security partnership with business. Earlier this year, the government established the Critical Infrastructure Centre to provide a coordinated approach toward the security (physical and cyber) of Australia’s important capital assets.
Matthew Warren, a professor of cyber security at Deakin University, said vulnerabilities are evident across two areas. First, there are issues associated with legacy systems which are being used by a number of larger organisations, including those who provide critical infrastructure. According to Warren, many of the SCADA systems used to support the operation of machinery such as power systems were designed long ago in a time where cyber security was not a major concern. Furthermore, much of the software to run these systems was purchased from companies who are no longer operating and whose software thus relies upon older systems such as Windows NT which are no longer supported, he says.
To overcome this, Warren says compensatory control measures are needed. These could include not having the system connected to the internet, disabling CD controls or denying the ability to do things such as add USB drives.
Also needed, he said, are proactive strategies regarding patch management. Whilst a security patch associated with WannaCry had been available since March, for example, many organisations had not put this in place and thus found themselves vulnerable when the crisis hit.
Warren said damage can be significant. In the case of power systems, for example, merely turning systems on and off without shutting down or booting up properly can cause significant damage.
Professor Jill Slay, director of the Australian Centre for Cyber Security at the University of NSW, says Australia’s exposure to infrastructure cyber-attack has increased since Maroochy – which she points out was an inside job – courtesy of a combination of engineering systems being increasingly connected to the internet and knowledge regarding methods of hacking into systems becoming more widely available.
“The answer to the question, ‘can our water and other systems be attacked?’ is yes,” Slay said. “So you might want to ask the question ‘has anything happened since 2001 positive or negative?’
“Well, let’s think about water systems or electricity systems for generation or transmission. When those systems were designed, they were not connected to the internet and many of those systems could be up to 40 years old when the internet did not exist and you had vendor specific protocols and only a specialised group of people knew how to work them.
“Since then, all those kinds of systems – especially when they have been renewed – have tended to be internet connected so that an engineering company can get billing data and they can connect their engineering systems to their corporate networks using the same kind of protocol TCP/IP as you would with just your corporate network and your own applications. So what we’ve done is that we have actually made our engineering systems vulnerable by connecting them to the internet.
“At the same time, we have also had a new generation of hackers come along – whether they are bored 15-year-olds or criminals or nation states. They have a better understanding of the existence of these engineering systems and how they might be attacked.”
“If we were hackers, we could actually go out to the internet and find out how to hack into the engineering systems. Information which was special to engineers and technicians is now freely available on the internet.”
Professor Greg Austin, a peer of Slay at the Australian Centre for Cyber Security, said the likelihood of a significant attack on infrastructure in Australia remains low. The most significant risk of attack, he said, occurs where countries are at war, such as in the Ukraine case.
Nevertheless, he said the consequences of any attack particularly for the individual organisation in question could be significant and the prospect of an attack from say, terrorists, of disrupting critical infrastructure for several days is one which cannot be ignored. A determined cyber-attacker, he said, is able to disrupt most systems across the world where there is a microprocessor and relatively weak defence systems. Our status as a technologically advanced country, he said, does not mean we are in invulnerable.
Opinions differ about how well Australia is doing in terms of managing the risk in this area. On one hand, Warren says Australia has adopted a proactive stance in this area. Citing the national policy released last year and the new centre referred to above, Warren said Australian governments have been on the ball since the turn of the century. When the WannaCry attack hit, he notes, the Prime Minister and his advisors were on the front foot giving out advice about what needed to be done.
Austin disagrees, saying Australia has been managing cyber security and ICT security more broadly on a ‘wing and a prayer.’ In the blackouts in South Australia, he said, people in responsible positions failed to understand basic relationships and dependencies between critical pieces of ICT infrastructure. Likewise, internationally, the debacle which saw a major IT failure bring down the networks of British Airways indicates the company did not have plans in place for something as straightforward as a power outage, creating devastating impacts around the world and for the company’s reputation despite not in fact even being a cyber attack. Given weaknesses in ICT security management in general, he said, it is difficult to argue that we are doing well at managing our cyber security.
Going forward, Warren would like to see greater efforts at patch management, whilst Austin talks of the need to adopt mature cyber security standards and a better appreciation about the impact of one set of technologies upon other technologies.
Slay, meanwhile, would like greater levels of education for engineers (especially civil and electrical engineers) about areas where control systems are vulnerable and thus where systems which are to be built or operated are vulnerable. Attacks, she adds, may not necessarily result from cyber hacking but rather from less sophisticated means such as phishing or even getting physically hired within a company and watching other staff as they type passwords.
Throughout Australia, the likelihood of cyber-attacks upon critical infrastructure is not high.
Nevertheless, it could happen and we must pursue a strategic response to the threat.