Cyberwarfare can devastate economies with connected infrastructure. Military strategy uses such attacks because they’re hard to defend against and very cost-effective.
The Allies bombed German ball-bearing plants in World War II because destroying them would degrade the German production of tanks and fighter jets. Cyberwarfare today can devastate an entire economy. As former Homeland Security Secretary Michael Chertoff recently explained, “Cyberattacks on critical infrastructure from state or state-sponsored actors are the biggest threat right now.”
Cyberattacks also have political, military and economic dimensions. What’s an adversary’s purpose behind an attack? How are targets chosen? What are asymmetrical warfare and the ROI of a cyberattack? How are such attacks conducted?
Picking a high value target
Public info from U.S. Department of the Army: “The emphasis of targeting is on identifying resources (targets) the enemy can least afford to lose or that provide him with the greatest advantage … Denying these resources to the enemy makes him vulnerable … an electronic attack could potentially deny essential services to a local populace, which in turn could result in loss of life and/or political ramifications.”
- Military — Exploit an adversary’s weakness and degrade their capability and/or will to fight
- Political or diplomatic — Weaken adversary’s status or power in the world or region
- Informational — Generate favorable press, gain information superiority
- Economic — Undercut adversary’s ability to sustain operations
The ROI of asymmetrical warfare
Cyberwarfare is asymmetrical. The parties at conflict use the means available to them to inflict as much damage as possible by careful exploiting their adversary’s weaknesses. An example of this tactic is in Palestinians flying “fire balloons” into Israel. The tactic has resulted in thousands of acres of valuable farmland and nature preserves being burned, the Times of Israel reported. A $10 incendiary balloon caused thousands in economic damage. Cyberattacks similarly target key infrastructure elements that will cause the most damage.
Cyberattacks on infrastructure
IoT devices, shared communications and cloud computing infrastructure expand the attack surface available to hackers. Electric power grids are especially vulnerable given the broad impact a power outage has on the economy. An electric utility with multiple partners has a broad and diverse attack surface — places where an attacker could attempt to access internal networks from the outside.
Employees at an electric utility or its partners are often unsuspecting targets. Spear-phishing attacks target a specific victim, and messages are modified to specifically address that victim, purportedly coming from an entity that they are familiar with and containing personal information. It’s the go‐to technique in the cybercriminal and nation state attackers’ arsenal. It is an effective and inexpensive way to harvest user credentials, implant various forms of malware, impersonate trusted people and collect intelligence on the target organization.
In cases described by the Department of Homeland Security, as presented to the electric utilities and outside experts, Russian hackers went into power plants through the networks of contractors, some of whom were ill-protected. Those contractors provided software to the utility company’s systems. Then they used spear-phishing emails, trying to trick utility operators into changing their passwords. Here are two other data points:
- In “Experts: North Korea targeted U.S. electric power companies,” it was reported that hackers linked to North Korea targeted U.S. electric power companies with spear-phishing emails which used fake invitations to a fundraiser to target victims, FireEye said. A victim who downloaded the invitation attached to the email would also be downloading malware into his computer network.
- In “The Ukrainian power grid was hacked again,” it was reported that experts say the country appears to be a testbed for cyberattacks that could be used around the world. The hackers conducted a coordinated attack against three power distribution companies, which began as part of a massive phishing campaign. The attackers sat on systems silently for months, conducting reconnaissance before making their presence known. They overwrote firmware on remote-terminal units that controlled substation breakers. This essentially bricked the devices and prevented engineers from restoring power remotely.
The financial damage of a cyberattack
The Hartsfield-Jackson Atlanta International Airport generates more than $34 billion in direct business revenue to metro Atlanta. A recent power outage, where more than 400 flights were canceled, wasn’t caused by a cyberattack, but illustrates how even a single disruption can have a huge financial impact. A simple projection reveals that a cyberattack on a large airport’s power systems, assuming that planes were forced to be idled, could exceed $100 million.
- Passenger time: 400 flights x 100 passengers x $50 per hour x 10 hours = $20 million
- Equipment cost : (Jet lease costs $20,000 per hour) 400 jets x 10 hours x $20,000 = $80 million
Beefing up cyberdefenses
The U.S. is outgunned in electronic warfare, says the country’s cyber commander. Two military leaders admitted at the TechNet conference in Augusta, Georgia this week that the country is falling behind in its electronic warfare capability. “When it comes to electronic warfare, we are outgunned,” Maj. Gen. John Morrison, the commander of Fort Gordon and the Army Cyber Center of Excellence, said during a Tuesday presentation. “We are plain outgunned by peer and near-peer competitors.”
With so much at stake, investments in cyberdefense have to be a high priority.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.