The doomsday scenarios we’re used to worrying about are sudden and catastrophic, like earthquakes, tsunamis and nuclear war. But the next catastrophe might well begin with something as a trivial and mundane as a failing traffic light that snarls up traffic. It will then widen to prolonged power cuts that catch people in elevators and gradually begin disrupting normal life. The Internet goes down, cellphones go silent and computers go haywire. The digital world we so rely on collapses.
- For a cyber superpower, Israel is surprisingly vulnerable to hackers
- TechNation: Israel to certify computer hackers
- Iranian hack reveals weaknesses in U.S. cybersecurity
The battlegrounds where governments, terror organizations and criminals operate is going virtual. Two weeks ago saw a small taste of things to come: Hundreds of thousands of homes in Ukraine lost power for hours in what the SBU, the Ukrainian intelligence agency, attributed to a cyber attack on the control center of the local power grid. It found the same malware at two other power stations. Kiev was quick to accuse Russia, but they aren’t sure and have retained a handful of cyber forensics experts (including Israelis) to determine the malware’s provenance.
Business such as the U.S. retailing giant Target and the Ashley Madison dating website have been hit by hackers, costing them money and their reputation. But what worries exports most of all is a cyberattack ending not in the theft of credit card data or exposure of unfaithful spouses but in damage to power stations, dams, transportation systems, hospitals and even nuclear reactors.
Industrial cyber security is a new comer to the cyber world, different in many ways from the better known information security systems that protect computer networks. It employs different technology and its foes aren’t novice hackers but highly skilled professionals, possibly working under state auspices, making the threat more sophisticated and alarming. Not surprisingly, several Israeli startups are among the pioneers.
“The world of electricity hadn’t changed much in several generations. If Edison had come back 15 years ago he wouldn’t have seen many changes compared to the day he died,” says Erez Koren, the head of business development at RAD, one those companies. “Since then, however, power networks have become smarter, and thus more vulnerable.” Nowadays, networks are “smart grids” with meters that are connected online and power grids that allow the flow of electricity to go in reverse from consumers to power stations.
Half of the United States is already covered by smart digital meters with two-way communications and in Europe 80% will be by 2020, with hundreds of millions of new devices connected to it, says Koren. Deregulation has caused control of power network to be split between companies that generate electricity and companies that transmit and distribute it, each with its own computer network piggybacking on top of it.
“Take Denmark as an example, a leader in renewable energy. In 1980 there were eight power stations there whereas now there are 4,000 stations or electricity producers. This has to be managed, knowing who to buy from and when, as well as at what rates – it’s a veritable stock market for electricity. This is also true for natural gas and water,” Koran says, but warns: “In contrast to banks, which have been contending with cyber threats for years, industrial networks have somewhat neglected this area.”
Regulators around the world have started asking utilities to protect not only their information technology networks but also their operational technology. In Israel the Shin Bet has an unit devoted to information security that oversees and guides Mekorot (the national water supplier), the Israel Electric Corporation and the gas companies – anything that comprises essential infrastructure.
The watershed event for industrial cyber security was the Stuxnet worm. It was discovered almost by accident in June 2010 by a small antivirus company in Belarus. But after months of research by cyber analysts around the world they realized that Stuxnet wasn’t just ordinary malware but at something unusual: The worm contained well-crafted code designed to harm Iran’s nuclear project. The worm knew how to reach specific Siemens computers that were in charge of controlling the Natanz reactor, changing the spin rate of centrifuges until they were disable even as the computers operated by the reactor’s engineers were reporting that all was in order.
Stuxnet changed history – the world’s biggest known act of cyber war and the single biggest cause of what has set off a global cyber arms race. The damage to the reactor was equivalent to what an air force could have achieved by aerial bombardment, without firing a single shot. It proved that a determined attacker could penetrate well-protected industrial systems and cause great damage.
Smaller attacks have followed. In December 2014, hackers disrupted steelworks at an unknown location in Germany, taking over control of the plant, causing a meltdown of metal and wreaking massive damage. The hackers penetrated the computer network of the plant through a focused phishing expedition, putting malware into an email as bait. From there, the malware found its way to the operating network.
Neither Stuxnet nor the malware that hit the German plant were written by amateur hackers. Stuxnet, according to some experts, was the fruit of combined efforts by the U.S. and Israel.
“There are individuals who can do some exceptional things but usually in this area [of industrial cyber security] you’re up against a government, which has immense power in terms of development and resources,” says Nir Giller, cofounder and deputy CEO for technology at the industrial cyber security CyberX. “It’s been said that Stuxnet was tested at the reactor in Dimona first.”
How do hackers in this area operate?
“The attacker has to know what kind of equipment there is in the target facility. There aren’t many choices – it’s either Schneider, Siemens, GE and a few others, who cover 80% of the market. Facilities don’t usually reveal what they’ve installed. This policy is called ‘security and obscurity.’ However, it’s quite simple to find out what the relevant equipment is by going on supplier websites and looking for customer lists, or looking at photos on the target’s website,” explains Giller.
“As for invading systems, you can try to bypass the online security system. If there’s a firewall, you can try attacking it directly. You can penetrate through phishing expeditions or try and infect an employee or technician with a virus. Another possibility is physical entry and inserting a USB into a company computer. Every component of an industrial organization is vulnerable to an attack.”
The military jargon is clearly evident in Giller’s language. “My partner and I graduated in computer studies at Tel Aviv University and the Technion and then served in the army’s encryption and security division. This unit specializes in embedded systems,” he says, referring to computers on board tanks or cruise missiles. “We have a strong research arm that looks for weak spots in industrial systems, using researchers who worked as hackers in their past.”
CyberX has exposed Zero Day faults – vulnerabilities that hadn’t been discovered yet by hackers – at systems operated by Schneider as well as at Rockwell Automation.
The defense it offers customers is a smart firewall designed for industrial sized users. Its server connects to the customer’s operating system and listens to all communications travelling over the network, building a profile of what constitutes normal traffic and thereby learning how to identify unusual events, caused by human error – or by a cyberattack.
“Industrial cybersecurity is now at the point Internet security was in 1998,” he says. “Companies like Schneider are starting to set up industrial firewalls only now at a time when there have long been built-in firewalls in every router supplied by Bezeq. There is also a problem of transparency in industry. When Microsoft screws up everyone knows about it. When an industrial company does, no one knows. Repairs are also different – Microsoft releases a security patch within days while in industry can take weeks to fix things.”
Nevertheless, Giller is optimistic. A security manager at the pharmaceuticals giant Novartis, for instance, will be very careful to provide security, since a single production mishap could cause great damage and lose him his job. “It’s unclear who’ll control the market – companies like Siemens who will develop the know-how or companies devoted to information security such as Symantec, who are trying to enter the world of industry in an attempt to provide holistic solutions for their customers.”
“2016 will be a test year,” says Gil Kroyzer, CEO in the ICS2 start-up cyber security company. “We’ve been in this business for more than two years and are beginning to see changes. I get responses to emails I sent a year ago, saying, ‘Yes, let’s meet.’ After seeing the damage caused by attacks on Sony and Target, managers are realizing that failure will cost them their jobs so they’re now willing to invest some money in this.”
What if a computer shows falsified data as in the Stuxnet attack?
“That’s the classic question we’re asked. The answer is that you can falsify one parameter, say the speed of revolution, but there are other factors such as pressure, temperature, humidity and others. No attack can falsify all the sensors and controllers. We’ve gone through tests where data was falsified and we detected it every time.”
ICS2 has developed know-how for different types of industrial systems. The start-up differs from other Israeli ones in that it employs physicists, chemists, electronic engineers and systems-control experts. Itssoftware is installed at Mekorot, a sewage treatment plant in Jerusalem, a desalination plant and with a American oil refinery. It counts 15 customers so far, unusual for a start-up. “We’re at the ‘break-even’ point now, and I believe we’ll have 50 new installations next year,” says Kroyzer.
A separate debate in this area revolves around security by isolation, meaning total separation between the operational system and the IT network and the Internet. The best known example is the IDF’s communications system, which is completely disconnected from the worldwide web. But Kroyzer is skeptical it’s a solution for most entities. “Aside from the IDF it’s hard to find examples of this because everyone needs to connect to the Internet. When GE sells a turbine today it insists on maintaining a remote connection. All the Ciscos of the world are pushing towards a world where everything is connected to the Web, and they’ll probably win out in the end.”
Even when a system is completely isolated it is possible to penetrate it, as happened with the Iranian reactor. The Israeli company Waterfall is developing a “diode,” a unidirectional system that will allow the operational system to send information to the IT system but not in the other direction. In agreement is Yossi Schenk, information security manager at the Israel Electric. “The notion of separating OT from IT is outdated. We’re moving towards combining these systems. The borders between the two are blurring. That’s why good security is needed for the IT system since it’s good for the organization, but also for protecting the operational system.”
The IEC took a bold step last year when it reported that it was under cyberattack. Its CEO reported 47,000 malware cases in the company’s systems in 2014, compared to a few hundred in 2013.
Schenk explains that we’re at the brink of a strategic cyber era, in which damage can be strategic for a state, posing an existential threat, with attacks backed by large organizations or states. In contrast to earlier attacks which focused on volume, such as DDos attacks which led to denial of services, current attacks are devoted to attacks known as Advanced Persistent Threats.