Civilian Critical Infrastructure Is No Longer a Taboo Target
A recent ransomware attack successfully shut down 5,500 miles of Colonial Pipeline’s pipe network, which carries approximately 45 percent of the East Coast fuel’s supplies. The DarkSide ransomware gang, a group of Russian cyber criminals, is believed to have stolen nearly 100 gigabytes of information and threatening its exposure as a means to coerce the victim into paying the ransom. The gang operates an established ransomware-as-a-service business model that has targeted large organizations, several of which are in critical infrastructure industries. The impact is already being felt by the public writ large with gas prices increasing almost immediately after disclosure of the attack. This is the second instance where a pipeline was impacted with a cyber attack. In February 2020, a difference ransomware attack affected a natural gas compression facility belonging to an unidentified pipeline operator causing a two-day shutdown. These two incidents reveal how a successful cyber attack against civilian critical infrastructure targets can have larger effects against area and regional populaces.
But such attacks are not focused on one particular sector. Critical infrastructure organizations worldwide such as energy, water, healthcare, transportation, and financial services, for example, are continually attacked, with varying level of success. Those that result in substantial damage reveal the consequential extent and reach of these attacks. Notable incidents include but are not limited to disruptive attacks against Iran’s nuclear centrifuges in 2010, Ukraine’s power sector in 2015, Israeli water treatment facilities in 2020, and now these latest incidents against pipelines. While the volume and frequency of these types of activities against critical infrastructures are less when compared to other types of hostile cyber operations, they do show an increased willingness of actors to target civilian critical infrastructures with disruptive/destructive attacks to support their objectives. The DarkSide operators are clearly looking to collect a hefty ransom for their efforts, but it can easily be seen how a nation state could benefit from shutting down at least temporarily a major pipeline that supplies a section of a major country. Russian military hackers showed how ransomware could be used as a form of punishment when it executed the 2017 NotPetya attack first against Ukraine, before spreading globally. The malware destroyed data and created general chaos in Ukraine impacting banks, the power grid, and airports, among other entities.
Iran and Israel have been engaged in tit-for-tat cyber exchanges that have targeted critical infrastructure entities, as well. Iran has executed several cyber attacks against Israeli water facilities, while Israel has responded with attacks against an Iranian port and most recently, an Iranian nuclear facility, though that remains in question. If valid, destructive cyber attacks against Iranian nuclear equipment is not new, as Stuxnet carried out a similar mission in 2010. However, more worrisome in this critical infrastructure targeting brinksmanship is Iran’s attempt to modify chlorine levels in water supplied to Israeli homes. While their efforts may have been detected, the fact that they pursued it reveals an intent to become adept at a more subtle and potentially more dangerous attack vector that can directly harm people’s lives – data and system manipulation. Such a capability can be a huge advantage as society moves toward more remote controlled and accessible smart technologies, health devices, and connected and autonomous vehicles.
In 2015, Russia executed destructive malware attacks against Ukraine’s three regional electric power distribution companies and impacting 225,000 customers. Although the blackout lasted a short time, the control centers were not fully operational for two months after the attack. A second attack occurred in 2016 when Russian hackers hid undetected in a Ukrainian power supplier’s network before taking the power offline for two days. In both of these instances, the attacks were not severe enough to cause any lasting impact, the disruption of power did adversely affect civilian populations. Given the geopolitical tensions between Moscow and Kiev, the targeting of energy companies was clearly done to put pressure on the Ukrainian government via its citizens.
While these incidents highlight attacks where critical infrastructure was impacted by cyber malfeasance, there are several other examples where attacks didn’t have an effect or were mitigated before any effect could transpire. The recent exposure of Chinese state-sponsored actors compromising – but not yet attacking – several key Indian energy organizations illustrates this point. A group identified as “RedEcho” targeted ten Indian entities – four of which were Indian Regional Load Dispatch Centers – involved in power generation, transmission, and distribution. Although these actors did not execute an attack from their entrenched positions, such compromise would easily allow for that to happen. Given the geopolitical tensions between Beijing and New Delhi over a longstanding border dispute, as well as other policy changes made to contain China’s tech incursion into India, such a move by Beijing can certainly be interpreted as a “stern warning” to New Delhi to fall in line or suffer a power failure.
There was a time that the purposeful targeting of civilian infrastructure was seen as taboo, especially for nation states not engaged in military conflict. It is evident that this sentiment is one that has long since passed. Nation states, or their proxies, are feeling more confident about targeting the critical infrastructures of their adversaries absent kinetic engagement largely because a tacit environment exists allowing them to do so. No check has been administered to offending states sufficient enough to deter this behavior, and it is unlikely there will be one anytime in the near future. In the latest incident against Colonial Pipeline, though it’s been determine that a cyber crime gang perpetrated the attack, the U.S. president has laid some responsibility for curtailing the gang at Moscow’s feet. Putin will likely disagree with this determination, putting the ball back into the president’s hands. The U.S. government already sanctioned Moscow for its culpability in SolarWinds compromise. Now, with even less intelligence linking DarkSide with Moscow, what more can be done to punish Russia?
Several governments including the United States recognize the criticality of protecting critical infrastructure as a national security priority. But there is little headway in determining what, if any, operations against critical infrastructure are acceptable. Without such consensus, nation states are left to their own devices, opting to use sanctions or retaliatory cyber strikes to register their complaints. These are poor options, as lack of setting such redlines and having governments sign on to them risks a cyber incident being misinterpreted and misunderstood, and thereby, increasing the chance for state-on-state escalation via disproportionate retaliation. It begs the question why states aren’t more aggressively pursuing a treaty that focuses solely on critical infrastructure protection and what activities are acceptable under it, as all possess such infrastructure in their countries that serve the needs of their populations. This would seem an easy win that can be used as building block for future cyber norms of behavior discussions. Otherwise, we can expect more critical infrastructures being targeted in the future. The more this happens, the more “permissive” it will seem to a global populace who already endures countless breaches and cyber malfeasance without any restitution from their governments that fail to live up to their promises. And the world is watching.