Connor Fairman is a research associate in the Digital and Cyberspace Policy program at the Council on Foreign Relations.
Cyberattacks on critical infrastructure are not a new phenomenon. Discovered in 2010, Stuxnet, a computer worm developed jointly by the United States and Israel that destroyed centrifuges in Iran’s Natanz uranium enrichment facility, was the first uncovered malware that affected physical infrastructure. In 2017, malware called NotPetya made headlines for shutting down a fifth of the world’s shipping capacity as well as numerous businesses, hospitals, and factories, causing over $10 billion in damages. Finally, in 2019, almost ten years after the discovery of Stuxnet, the United States fell victim to the first cyberattack that disrupted operations in the electrical grid.
Foreign infrastructure also fell victim to cyberattacks this year. In October, India confirmed that malware linked to North Korea’s Lazarus Group had infected the networks of Kundankulam nuclear power plant, its newest and largest nuclear power plant. In June, press reports alleged that the United States had penetrated deeply into Russia’s electrical grid.
Cyberattacks on the technologies that keep critical infrastructure running appear to have increased in 2019. An April survey of security professionals worldwide tasked with protecting critical infrastructure found that 90 percent had suffered such attacks, with around half of the breaches resulting in the shutdown of critical systems. None of these operations were the “cyber-Pearl Harbor” that some analysts have long warned about, but it is clear that cyberattacks against critical infrastructure are becoming a more dangerous threat.
The threat has increased because of two trends. First, hackers continuously develop more advanced tools, such as Triton, a new malware designed to shut down safety controllers and cause physical damage to critical infrastructure. Second, digitization and the introduction of the internet to systems that predated it has introduced new vulnerabilities. Previously, operational technology was controlled by analog systems, which are kept separate from computer networks, thus insulating it to a degree from malware. With the digitization of these systems, devices that were previously isolated are being connected to the internet, which exposes them to exploitation. Moreover, the widespread implementation of Intenet of Things (IoT) devices throughout facilities has created more targets for would-be attackers. Oftentimes, these devices are easy to exploit, due to the invention of IoT crawlers and factory-set default passwords that are never changed. Thus, companies and governments are inadvertently increasing the attack surface for adversaries.
While security firms are reporting more cyberattacks on critical infrastructure, the providers have, at times, been hesitant to disclose that they have fallen victim. Government operators face political ramifications for admitting that they failed to secure society’s most important services. Private utility companies can suffer reputational damage and even expensive fines after admitting that they have been hacked. In some countries, like Germany, operators of some types of critical infrastructure, such as hospitals and public transportation networks, are not obliged to report cyberattacks to authorities. Given the potential consequences of doing so, it is not hard to imagine that attacks in these sectors often go unreported.
Unfortunately for governments and companies, these problems are not going away anytime soon. With the advent of smart city technology, the level of interconnectivity and number of targets that attackers can choose from is going to increase dramatically over the next several years, with particularly large growth expected in Tokyo, New York, and Singapore. Virtually every sector will be affected by this trend, including healthcare, transportation, power distribution, water supply, and public security. Serious vulnerabilities in smart city systems have already been uncovered. For example, in May, security researchers discovered a Chinese database containing facial recognition scans and other personally identifiable information that could be accessed through a web browser without a password. Municipal networks in Atlanta and Baltimore have already been held hostage with ransomware, costing each city millions of dollars. Both cities aspire to become smart cities and have started to implement IoT devices to optimize city processes, such as lighting. Yet, without proper steps to address conventional threats against city networks, these cities’ problems will compound, opening the door for an attack that could make the costs incurred from the recent ransomware attacks appear minuscule.
In 2020, governments and companies need to address these risks head-on. First, the United States should follow the recommendations made by the National Infrastructure Advisory Council this December, which called for the establishment of a “Critical Infrastructure Command Center” to facilitate information sharing between government agencies and companies. Second, as older systems become digitized and retrofitted with new IoT devices, providers should ensure that operational technology is kept isolated from the open internet. Finally, while smart city technology has the potential to improve safety and optimize urban systems, governments need to ensure that they are not simply creating more targets for adversaries by setting and abiding by high security standards for the incoming wave of connected devices.