Ten years ago, the consequences of a cyber attack were relatively straightforward. Attacks targeted information systems, and their impact was immediate and noticeable. While the damage from data loss, service interruption, and brand embarrassment was significant, most attacks were contained within the information sector. Risk management was therefore also considered the responsibility of the information technology sector.
Today, however, the effects of an attack are much more unpredictable and far-reaching. A cyber invasion now poses a physical threat that can cause real damage to infrastructure, software and content. A security breach can do more than shut down services and information flow; it can irreversibly damage a corporation’s assets and cause real harm to physical and human capital.
And yet, many companies manage risk using the tools of the past. Policy creation, threat response and risk assessment often operate as separate functions with no central knowledge base. When a new threat is detected, the response may be quick and effective. But unless controls and prevention strategies are incorporated at the policy level, future attacks of a similar nature will be handled in the same responsive, rather than preventative, mode. Controls in one function may be unknowingly duplicated or invalidated in another. Without an integrated approach, different sectors within an enterprise may be unequally prepared for the same threat.
This segregated solution to risk management was sufficient when information was the primary target of the threat. But now that threats can invade all aspects of an enterprise, a more integrated approach is needed. An effective response to a new threat should translate immediately into new enterprise-wide policies and controls, which are in turn quickly assessed and tested for compliance. Successful risk management requires that all sectors communicate fluidly to achieve equal levels of risk maturity. Only then will the enterprise be able to proactively prevent new and future threats.
The physical nature of today’s threats
Changing technology has endangered systems that were once secure. Public utilities, including electrical grids, water supply and sewage systems, are one example. The earliest machines powering these systems were designed to be controlled by hand, with human operators assigned to every level of the system. As technology improved, utility companies developed proprietary networks that enabled remote operation and monitoring. Today, nearly all utilities are controlled remotely using Supervisory Control and Data Acquisition systems (SCADA). But rather than using proprietary networks, SCADA systems are now connected to the cloud, making them vulnerable to attack.
In 2006, engineers at Idaho National Labs conducted a study, exploiting a security breach to invade SCADA and control a generator. By adjusting the controls remotely, the attack caused the motor to rotate faster and overheat, destroying the generator. The study demonstrated how improving technology and efficiency, when accomplished without the oversight of a systemic risk assessment, can come at the expense of security. As other systems work to improve efficiency by connecting to the cloud, they become similarly vulnerable.
Nor is the risk merely theoretical. In 2000, a recently fired employee of the Maroochy Water Services in Brisbane, Australia accessed the water company’s SCADA system. Over a period of three months, the disgruntled employee changed pump configurations and reverse pumped sewage into area parks and neighborhoods before he was caught and imprisoned.
Similar ongoing attacks may be occurring today unchecked. In March 2013, threat researcher Kyle Wilhoit published his results from a 28-day study using fake SCADA servers. The servers, designed to imitate controls for a water-pressure station, functioned as decoys for online attacks. In 28 days, Wilhoit detected 39 attacks on the servers, many of which successfully modified settings such as pump output and water temperature. In systems with low security and few controls for detecting cyber invasion, such attacks may be blamed on normal variables like aging infrastructure. Until SCADA systems assess their risk and vulnerabilities at the enterprise level, such undetected attacks can continue.
If the physical danger from these threats were confined to public utilities, that risk would be significant enough. But many other types of systems are vulnerable to attacks. In June 2010, a worm was discovered targeting the SCADA systems that control centrifuges in uranium enrichment facilities in Iran. The Stuxnet worm caused the centrifuge motors to change speeds, overheating them and damaging or destroying many of the machines and reducing uranium output by 30{0eb308fd4b647f25406e5668194833f4a52138de9c468ddf4139c2d52e01c910}. Any system using remote management could be vulnerable to a similar attack.
Invade yesterday, attack tomorrow
The far-reaching impact of newer threats isn’t the only reason why a systems-wide approach to risk management is necessary. Virtual attacks today are forward thinking. A virus can be designed to lie dormant for months or years until a signal triggers it, enabling its destructive capabilities. The sophisticated nature of such an attack means that an invasion that infiltrated a system three years ago could be preparing to attack tomorrow.
Stuxnet was just such a worm. Its design enabled it to control not just the centrifuges it was meant to destroy but also the control panels that should have given warning about the damage it was creating. It gave false feedback to the panels, misleading operators to believe the centrifuges were functioning correctly even as they destroyed themselves. Dates in the code indicate that the Stuxnet worm may have been deployed as early as 2007, but its effects were so well hidden that its existence wasn’t discovered until three years later.
A process-level approach to risk does little to protect against this kind of long-term threat. Preventing an invasion by new software does nothing to protect against threats that may have been hidden in a system for years. Stopping this threat requires an enterprise-level assessment to see where vulnerabilities lie. An effective approach will be systemic, reaching into the past to assess threats that could have been planted in the past to wait for the opportunity to attack.
Today’s threats are powerful and evolving. They can cause serious damage to infrastructure and operational capacity, both immediately and in the long term. Changes in technology, particularly the ever-increasing importance of the cloud for efficient systems management, has raised exposure to risk in many sectors, but risk management has not kept pace. Protection against new attacks requires a robust, evolving system of enterprise risk management that is prepared to address the threats of today and tomorrow.