Imagine a world without power. No functioning air conditioning, lighting, traffic signals or computers. This is the very real and present danger posed by cyber attacks on public utilities or industrial control systems.
Recently this exact scenario happened in the Ukraine when the national electricity grid was closed down by a hostile cyber attack.
The US Department of Homeland Security (DHS) and the FBI take the threat so seriously that they have begun a nationwide programme warning of the dangers faced by utilities from cyber attacks. The programme includes briefings and online webinars for electrical power infrastructure companies and others involved in security with sessions in eight US cities, including one next week in Washington.
The US programme is recognition of a paradigm shift in cyber crime where industrial control systems that are linked to the internet are susceptible to criminal attack. While connectivity has increased efficiency, enabled the collection and analysis of performance data and allowed remote maintenance, it has also left systems vulnerable to malicious interference.
Part of the DHS-FBI briefing is entitled “Ukraine Cyber Attack: Implications for US Stakeholders,” explicitly referencing lessons drawn from the multi-tiered attack on eight Ukrainian installations leading to a loss of power for 80,000 people in the middle of winter.
Most sinisterly, the attack was multi-pronged not only opening circuit breakers and spoofing monitoring systems, but also delivering a distributed denial of service attack on helplines to systematically prevent the Ukrainian authorities from resuming control.
Energy companies that underpin the economy of the GCC are particularly vulnerable to this type of attack because of the sheer complexity of their infrastructure and their intersection with third party suppliers and contractors over whom they may have little control.
The GCC is particularly vulnerable to this type of attack. In a bustling economic environment, a power cut would likely cause disruption to any services not backed up with auxiliary generators, potentially affecting everything from transportation links to desalination plants.
It’s the responsibility of both the private and public sectors working hand-in-hand to ensure vital infrastructure is not just defended from physical attack, but shielded from hostile states and criminals. To ignore the threat is to leave your nation hostage to the next malware attack.