The New Reality of Cyber Threats
The world’s critical infrastructure — power plants, electric lines, water treatment facilities, and fiber optic networks — is seeing a major shift that increases efficiency, but opens up vulnerabilities.
According to CyberX, at least one third of industrial sites overseeing the centralized operations of this infrastructure are connected to the internet. This interconnectedness has enabled next-generation technologies in remote control, automation, data collection, and predictive and prescriptive analytics, to name just a few.
However, it also opens up security weaknesses for those who know how to exploit gaps in cyber protection, and today, much of our critical infrastructure is under attack.
“There’s a rapid uptick in people using various types of exploits to try to gain access to the private sector systems,” explained Philip Chertoff, research fellow in the cyber program at the GLOBSEC Policy. “These attackers are motivated by a whole number of factors, whether it’s espionage, which is frequently in the news; criminal reasons, as we saw with the ransomware attack at the NHS in the UK; to even what is frequently called script kiddies, which is basically doing it for some kind of ego or personal aggrandizement.”
Planning for Disaster
GLOBSEC is an international think tank focused on shaping global debates through research activities and connecting key experts on foreign and security policy.
Their Cyber Resilience program is developing novel areas of research on cybersecurity, ranging from policy recommendations for NATO and EU agencies on critical infrastructure protection to security implications of emerging cyber threats like data manipulation.
Philip Chertoff is one of the experts shaping those policy recommendations and the global cybersecurity discussion.
“There’s been a democratization of cyber attacks so that more and more people have the ability to find tools online to attack systems,” Chertoff continued. “And I think companies are especially now harder-pressed to manage an increasingly large attack surface.”
Our critical infrastructure was built well before the internet existed, before there was any concept of cybersecurity.
Even the internet itself was developed without security in mind.
“The internet is built on an earlier world where people trusted each other,” said Sean Smith, professor of computer science at Dartmouth College. “It was not built with security in mind.”
In addition to his role as professor of computer science, Smith is Director of Dartmouth’s Institute for Security, Technology and Society. He knows cybersecurity and his opinion of cyber disaster is a bit more nuanced than others.
“A lot of my colleagues keep saying, ‘We’re going to have a cyber Pearl Harbor,’ where there’s going to be some sudden, massive attack from an enemy. Should we be worried about that or should we worry about a cyber Love Canal?”
He’s referencing the infamous New York town that was slowly poisoned by toxic waste seepage.
The Ease of Cyber Threats
Along those lines, Smith sees three major risks with IoT: holes in an interface, dependence on legacy systems, and the connection to the physical world.
“As we scale from computers that look like computers to ones that are embedded in everything, and as we conduct that ramp-up without thinking about how we build these interfaces (which always seem to have holes), then we, as the society, are setting ourselves up for a really big problem,” Smith warned.
While patching vulnerabilities in a computer or on a phone is relatively automatic, Smith expresses concern that people would remember to patch devices connected to a thermostat or a train.
Smith isn’t speaking in cybersecurity platitudes. Our infrastructure is vulnerable, starting with electric meters. For the 70 million (and counting) Americans with smart meters, security analysts have pointed to the radios embedded in the software of the machines as a threat that could potentially be reprogrammed to transmit in other frequencies, and down cell phone network.
Legacy systems are also something to consider.
A company’s reliance on an old system can obviously be problematic, as proven when planes were grounded in November of 2015 at Orly, a French airport running on Windows 3.1.
If current systems are not built with security in mind, our future infrastructure will continue to be unstable.
“We’re building tomorrow’s legacy systems today,” Smith explained. “The companies that created the stuff might not be around tomorrow.”
The connection of cyber and physical worlds means significant danger from the anonymous internet. Smith specifically referenced Shodan, a search engine to look for embedded systems.
“Every time somebody looks at it, they find interfaces that should never have been exposed, yet are now exposed on the open net,” Smith explained. “Dan Tentler found a steel plant with a vat of something that was in the order of 1,000 degrees Celsius. It doesn’t really matter what it is. If somebody on the open internet without authentication can start controlling that vat, you’ve got a problem.”
“Cybersecurity is a Process Issue”
Chertoff is particularly concerned cybersecurity has been treated as an IT issue, pointing out that the main attack vector for malicious actors tends to be users.
“Cybersecurity is a process issue, not a technical issue,” he clarified. “For a lot of companies, this means that they’re going to have to go through HR changes and reorganize how they actually operate their business in order to be more secure.”
This means going beyond simply adding antivirus software and rethinking processes that put sensitive data at risk.
Chertoff’s main focus is around cybersecurity for critical infrastructure, which can include everything from a water cleaning plant to the electric grid.
“There’s a huge part to the national supply chain that people don’t see, but which attackers will hone in on as a vulnerable point,” he explained. “These types of attacks are meant to undermine the legitimacy of the government institutions, because one of the fundamental parts and responsibilities of government is to deliver critical services to its citizens.”
Wired’s 2017 June cover story, shedding light on Russia using the Ukraine as a training ground for larger attacks, has been particularly worrisome for those in the cybersecurity community.
“The fact that it’s only gone so far in previous attacks is not a question of capability,” Chertoff warned. “It’s a question of will.”
The Secure Future
Though systemic vulnerabilities are frightening, there isn’t an easy way forward.
“AI can enhance human creativity,” said Michael Horowitz, professor of political science at the University of Pennsylvania. “And that’s a double-edged sword.”
Unfortunately, many organizations appear to be turning away from digitization because they can’t secure what they’re digitizing.
“It’s a real shame because obviously digitization offers a lot of significant economic benefits to corporations,” Chertoff added. He sees promise in AI’s ability to aid situational awareness, providing “a much broader perspective on possible vulnerabilities.”
What does AI have to do with cybersecurity? At this point in the game, they’re inseparable. It’s estimated there are over 100,000 zero-day cyber attacks daily.
The sheer volume of the cyber threats landscape means it’s impossible for human security analysts, regardless of capacity and experience, to keep up with the sophistication and adaptability of those cyber threats.
Amongst a limitless potential of applications, artificial intelligence technologies are showing efficacy in the detection of, and protection against, a new generation of cyber threats.
“What I hope for from AI is to start to minimize manual processes that analysts have to go through, a lot of this pattern recognition work,” said Chertoff. “Then AI is handling the bulk of the data analysis when it comes to security incidents and events, and the analyst can really think primarily about what threats the organization is taking holistically.”
Chertoff also recognizes the benefits of having a plan of defense in case of a critical attack.
“The National Energy Reliability Commission has been planning scenarios like this for a while, especially regarding natural disasters but increasingly about cyber attacks,” he noted. “I say that, actually, the U.S. energy grid has gotten especially good at planning for this type of thing.”
Decentralization of a system is another way to increase resiliency, although Chertoff noted it could become a weakness if the individual nodes are not secured appropriately.
These cyber threats emphasize the importance of developing an investment strategy and policies related to AI, as it undoubtedly becomes part of our future. Forming a path forward that minimizes vulnerabilities, provides a plan for critical infrastructure, and encourages development of AI will ensure that the technology is not a source of fear.
As Horowitz noted, “AI is not a weapon. It will have an impact much broader than that.”