In-brief: A crippling cyber attack that could damage and destroy equipment needed to keep the lights on in major US cities is already possible. The only thing that’s lacking is a motive to carry out such an attack, according to our guest on this week’s podcast: Joe Weiss, a Managing Partner at Applied Control Solutions, LLC and a persistent, if lonely, voice calling for an overhaul of cyber security for the U.S. electric grid.
Warnings about hackers and nation state actors making incursions into the U.S. electrical grid and other critical infrastructure aren’t new. In fact, there has been a steady drum beat of them for years. But that drum beat has become more steady in recent weeks, as the pace of incursions into U.S. critical infrastructure appears to have quickened. In April, the National Cybersecurity and Communications Integration Center (NCCIC) warned of an emerging sophisticated campaign, dating back to at least May 2016, targeting a range of critical infrastructure sectors including Energy, Healthcare and Public Health and Critical Manufacturing firms. And just last week, the Department of Homeland Security and FBI warned energy companies about spear phishing attacks designed to steal sensitive credentials. That was followed by reports that named a number of facilities as targets, including the Wolf Creek nuclear facility in Kansas.
Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.
So what (if anything) is new or different with the latest reports? And is an attack that takes out part or all of the U.S. electrical grid a real possibility, or just more FUD – fear uncertainty and doubt?
To help sort it all out, The Security Ledger reached out to Joe Weiss, a noted authority on the security of industrial control systems and Managing Partner at Applied Control Solutions, LLC. Joe spent 14 years as a program manager at the Electric Power Research Institute (or EPRI) and has more than 35years experience in industrial instrumentation controls, and automation. He is the author of Protecting Industrial Control Systems from Electronic Threats and has been a persistent if sometimes lonely voice urging reforms.
The news isn’t encouraging. When it comes to attacks on the grid and other critical infrastructure, the question isn’t means but motive, Weiss said. Foreign adversaries have already placed destructive malware on systems that control parts of the electrical grid. That means an attack that could shut out the lights for weeks or even months is already possible. The question, instead, is who would want to carry out such an attack and why – especially since the U.S. has indicated that such an incident would be considered an act of War.
Check our full conversation in our latest Security Ledger podcast or over at Soundcloud. You can also listen to it on iTunes. As always, if you like our intro music, give some love to the group JoeLess Shoe, who recorded “Baxton,” the song we use in just about every podcast.