Jim Lewis is a Sr VP at the Center for Strategic and International Studies (CSIS). He wrote the article “Dismissing Cyber Catastrophe” dated August 17, 2020 – https://www.csis.org/analysis/dismissing-cyber-catastrophe?utm_source=CSIS+All&utm_campaign=e4d5b3e04c-EMAIL_CAMPAIGN_2018_11_08_05_05_COPY_01&utm_medium=email&utm_term=0_f326fc46b6-e4d5b3e04c-221758737 . In ‘Dismissing Cyber Catastrophe,’ Jim argues that concerns about industrial cyber security are overblown and the risk is exaggerated. Because the view that ‘cyber catastrophes’ are imaginary has gained some currency, it’s worth pointing out that cyber incidents affecting control systems have indeed taken place with catastrophic consequences and the control systems and networks that operate the critical infrastructures have been, and continue to be, targeted. Moreover, control system cyberattack tools are publicly available and malware and hardware implants have already been installed in the US grid. I offer the following examples as a contribution to this discussion.
Cyber catastrophes are still merely speculative, not real
Claim: According to Jim, a cyber catastrophe captures our imagination, but as analysis, it remains entirely imaginary and is of dubious value as a basis for policy making. There has never been a catastrophic cyberattack.
My response: The Maroochyshire wastewater cyber-attack in 2000 dumped more than 750,000 liters of sewage. In 2010, Stuxnet damaged more than 1,000 centrifuges and may have delayed a shooting war. The Russian Triton cyber attack against a petrochemical plant in Saudi Arabia was not successful but not because of the lack of trying. This attack was meant to blow the plant up and kill people. The two Russian take-downs of portions of the Ukrainian distribution grids in December 2015 and 2016 demonstrate catastrophe-capable cyberattacks on critical infrastructures.
Claim: No one has ever died from a cyberattack, and only a handful of these attacks have produced physical damage.
My response: There have been more than 1,500 deaths to date and more than $70 Billion in direct damage from control system cyber incidents. Even though most incidents were unintentional, some were malicious. Moreover, a sophisticated attacker can make a cyberattack look like an equipment malfunction, and there is currently no cyber training for the control system engineers. Stuxnet caused significant physical damage but was not recognized as a cyberattack for more than a year. The Maroochyshire cyberattack caused extensive environmental damage. The 2011 China Bullet train crash was a malicious cyberattack on the signaling system killing 40 and injuring more than 190. The incident had a significant impact on the development of high-speed rail in China. There have been many catastrophic failures destroying equipment and killing people that were caused or exacerbated by electronic communications from instrumentation and control systems. All of these incidents could have been caused maliciously but without appropriate control system cyber forensics it is not possible to tell if they were malicious. Catastrophic incidents include the Texas City refinery explosion, Olympic Pipeline Company gasoline pipeline rupture, the San Bruno natural gas pipeline rupture, the 2008 Florida outage, among others.
Cyber catastrophes are difficult to the point of practical impossibility
Claim: With man-made actions a catastrophe is harder to produce than it may seem; and for cyberattacks, a catastrophe requires organizational and technical skills most actors still do not possess. To achieve mass effect, either a few central targets (like an electrical grid) need to be hit or multiple targets would have to be hit simultaneously (as is the case with urban water systems), something that is itself an operational challenge.
My response: The Aurora vulnerability mechanism is known to most electrical engineers. As it is not malware, it does not require additional cyber expertise. Even though the national grid cannot be taken down from a single point of failure, there can be significant regional impacts. Targeting several key substations can lead to wide-spread impacts. Why is a simultaneous attack unimportant? The impact can be the same whether the attack is simultaneous or not. Moreover, there can be additional fear when you don’t know when the next attack is coming as well as preclude mutual aid if you don’t know if you will be next.
Claim: At water treatment plants, the chemicals used to purify water are controlled in ways that make mass releases difficult. In any case, it would take a massive amount of chemicals to poison large rivers or lakes, more than most companies keep on hand, and any release would quickly be diluted.
My response: There’s a lesson to be learned from an industrial accident that wasn’t a cyber incident. Following a leak of coal cleaning chemicals into the river outside Charleston, WV in 2014 (wasn’t cyber but could have been), because of contamination, there was no water available for several weeks even for bathing or cooking – all water had to be trucked in. About 300,000 people were affected – dilution is not the solution. More recently, the Iranian government initiated a campaign April 24th to overload chlorine into Israel’s agricultural irrigation systems by cyberattacks through U.S. and European servers. While the Israeli defenses thwarted these attacks, we should not assume that every nation’s cyber defenses are as capable. This event demonstrated an Iranian attempt to poison crop production and perhaps worse.
Claim: They are harder to damage through cyberattack than they look, given the growing (albeit incomplete) attention to cybersecurity; and experience shows that people compensate for damage and quickly repair or rebuild.
My response: This is true when there is no equipment damage such as occurred with the 2003 Northeast Outage. However, this is not true when long-lead equipment such as transformers, generators, or large motors are damaged or destroyed. I also question whether there actually is growing concern about control system (not OT network) cyber security as can been from the responses to the DOE Request for Information with respect to the Presidential Executive Order 13920.
Only nation states are realistically capable of inducing a cyber catastrophe, and they’re not likely to do so
Claim: According to Jim, non-state actors and most states lack the capability to launch attacks that cause physical damage at any level, much less a catastrophe.
My response: That may have been true ten years ago, it is certainly not true today. I wanted to have Dillon Beresford speak at my Conference about 10 years ago as he was able to hack a Siemens PLC in a similar manner as Stuxnet. The key point was 2 months earlier, he had never worked on a PLC. In fact, DHS kept him from speaking at a local conference because of his findings. Blackhat and Defcon conferences have multiple tracks and demonstrations of hacking OT networks as do many other conferences.
Claim: There is enough uncertainty among potential attackers about the United States’ ability to attribute that they are unwilling to risk massive retaliation in response to a catastrophic attack. (They are perfectly willing to take the risk of attribution for espionage and coercive cyber actions.).
My response: There are minimal control system cyber forensics below the Internet Protocol (IP) layer. Consequently, attribution may not be possible for all cyber physical attacks.
Claim: States use cyber operations primary for espionage and political coercion. Their goal is to stay below the “use-of-force” threshold and undertake damaging cyber actions against the United States, not start a war.
My response: In response to the Chinese installing hardware backdoors in large electric transformers to cause damage, Presidential Executive Order 13920 was issued May 1, 2020. It is unclear how many devices used in US critical applications have these backdoors though there more than 200 large Chinese-made transformers in the US electric grid. The Russians installed BlackEnergy malware in our electric grids in 2014 and the findings presented at the 2014 ICS Cyber Security Conference. In December 2014, DHS held a series of closed industry briefings on these intrusions. Moreover, the Congressionally-mandated EMP Commission released a year 2017 report (declassified in 2018) that reviewed the combined arms military doctrines of Russia, China, Iran, and North Korea. All of them anticipated use of cyber-physical and combined cyber-electromagnetic spectrum war fighting.As mentioned, control system cyberattack tools are publicly available. Additionally, malware and hardware implants have already been pre-positioned in the US grid by Russia and China. It is imprudent to infer from peacetime precedents the role of cyber-physical warfare in future wars.
Claim: The United States has two opponents (China and Russia) who are capable of damaging cyberattacks. Russia has demonstrated its attack skills on the Ukrainian power grid, but neither Russia nor China would be well served by a similar attack on the United States.
My response: The Chinese installed hardware backdoors in large electric transformers. The Russians installed BlackEnergy in our electric grids. To date, Iran has made some attempts, albeit unsuccessfully, to attack control systems in US critical infrastructures.
Claim: Iran is improving and may reach the point where it could use cyberattacks to cause major damage, but it would only do so when it has decided to engage in a major armed conflict with the United States. Iran might attack targets outside the United States and its allies with less risk and continues to experiment with cyberattacks against Israeli critical infrastructure. North Korea has not yet developed this kind of capability.
My response: Iran isn’t yet engaged in a major armed conflict with Israel, but that didn’t keep it from attempting cyberattacks against Israeli water treatment facilities. Iran also cyberattacked the Rye, NY Bowman Dam in 2013.In 2015, the CIO of Korea Hydro and Nuclear gave a presentation at the IAEA Cyber Security Conference in Vienna as to how the North Koreans hacked into the South Korean nuclear plants.https://www.reuters.com/article/us-nuclear-southkorea-northkorea/south-korea-blames-north-korea-for-december-hack-on-nuclear-operator-idUSKBN0MD0GR20150317
Conclusion: a call for objectivity
The contours of cyber warfare are emerging, but they are not always what we discuss. Better policy will require greater objectivity. However, Jim’s article can affect that objectivity as it is mostly to refute the idea that a cyber-attack could be “catastrophic” in the way a nuclear strike would be catastrophic. He’s right in one way: a cyber-attack is not likely to produce a prompt death toll in the tens of millions of people as that of a nuclear attack. That sets a pretty high bar for “catastrophe”; but there are plenty of damaging and lethal cyber-induced disasters that fall short of a strategic nuclear war. As mentioned, control system cyberattack tools are publicly available. Additionally, malware and hardware implants have already been pre-positioned in the US grid by Russia and China. It is imprudent to infer from peacetime precedents the role of cyber-physical warfare in future wars. If Jim’s views are to be accepted, why is there a need for critical infrastructure protection programs?