Monday, August 24, 2015
And What if Someone Just Did?
Most of the developed world is completely reliant on our electrical and communications connectivity. Our financial system, power grid, water supply, access to police and fire, and even our personal interrelationships are linked by wires, cables, satellites and transmissions through the ether. Our GPS systems, military preparedness and emergency systems are all dependent on a very vulnerable system. The more urban we get, the more dependent we are. Routers, file servers, computers control the electrical power flow, data storage and just about every aspect of modern existence.
The vulnerability is obvious. A villainous miscreant could rely on old-world destructive power – blow up a few key critical components and watch the systems fail – or we might instead watch as hackers (read: criminals, miscreants and malevolent foreign powers) crack into our most critical systems and take down entire cities, perhaps entire regions… and maybe even… the entire nation. It’s pretty clear that that our most critical systems seem wide open to those with the skills to climb in. The fact that our federal personnel records were hacked – revealing the most personal information about federal employees, past and present, and their circle of family and friends (over 22 million records compromised) – tells you that properly trained and motivated hackers can pretty much have their way with our most critical systems.
So if a malevolent government were interested in taking down an entire city, just to show us who’s boss, what would it look like? The August 18th Washington Post sets the scene: “First the power goes out. It's not clear what's gone wrong, but cars are starting to jam the streets -- the traffic lights are down. And something seems to be going haywire with the subways, too… No one can get to work. And even if they could, what would they do? A cyberattack has driven the city to a halt.” People stuck in elevators and subways. Ventilation systems falling. Maybe some looters get some ideas, and there are only a few surveillance cameras functioning on batteries. Back-up systems fly on line, generators running on gasoline until it runs dry. Gridlock and fallen communications systems make tending to police and fire emergencies impossible. Small fires spread quickly with nothing to stop them. It will be more than just a power outage.
It hasn’t happened… yet. But we are going to see one or more versions of the above scenario sooner or later, and austerity measures pretty much insure that our attempts to secure against such horribles will be “too little, too late.” Like most of our “disaster lessons,” we have become a reactive society, not preparing even for the obvious, reacting at vastly greater expense only when the inevitable disaster redefines the space. But right now, hacking into critical systems is too damned easy. The electrical communications grids are infrastructure begging for a huge and necessary fix.
“Cities, like the rest of the world, now rely on a lot of computers. But the systems used to make even the most sensitive systems run can still contain security flaws. While the risk of an actual attack may not be imminent, the threat is looming large over cybersecurity researchers who warn that local governments aren't prepared.
“‘The potential attack surfaces of a city is a huge challenge,’ said David Raymond, deputy director of Virginia Tech's IT Security Lab. ‘The digital pathways between all of the entities and organizations in a city is often not well managed. In many cases, there's no overarching security architecture or even understanding of holistically what the city looks like.’
“Researchers have already discovered vulnerabilities with new technology being used in many cities… Last year, researchers found that traffic monitoring system used in dozens of U.S. cities, including Washington, D.C., could allow a malicious hacker to falsify traffic data and manipulate stop lights. District officials say the city is reviewing the security of its traffic sensors. A few years ago, two Los Angeles traffic engineers pleaded guilty to hacking into the city's traffic system and slowing down traffic at key intersections in support of a labor protest…
“Transportation systems are a key ‘pressure point’ for cities, places where technology that is otherwise well secured might intersect in ways that make them vulnerable to a targeted attack that could cascade throughout a city, according to Raymond and fellow researchers Gregory Conti, a professor who teaches cybersecurity at West Point, and Tom Cross, the chief technology officer at cybersecurity firm Drawbridge Networks. Raymond, Conti and Cross presented their research at the Black Hat USA cybersecurity conference in Las Vegas earlier this month.
“‘Each person is looking at their little silo and defending their department or agency -- to varying degrees of success -- but they don't appreciate the relationships between their piece of the puzzle and other people's pieces,’ Cross said.
“And in some cases, older industrial systems never designed to be online end up making their way onto the Internet. Researchers using Shodan, a search engine used to identify systems connected to the Internet, have routinely discovered traffic lights, water treatment facilities and even power plant controls online.” The Post.
In short, we are just begging for it. The first hit might be a small one, testing here, probing there. But think how Kim Jong-Un, who keeps talking about declaring war on the United States for its hostile moves on his little North Korea, could hack into any city’s systems, probably not much more of a challenge than hacking into a movie studio over an insulting films. Actually, we are still technically at war with North Korea, but Kim probably has no real issues with ignoring the armistice and teaching the United States yet another lesson. Oh, he’ll just deny it. Or maybe it will be a couple of pranksters with mayhem on their minds.
I’m Peter Dekom, and until we wake up and cherish and maintain what we’ve got, there is always the question of how long we can expect to keep it.