Preparing For A Cyber Attack: Now and in the Future
On Nov. 11, a power failure blacked out much of Brazil and Paraguay, affecting as many as 60 million people. It’s still unclear how the blackout happened, but it occurred just two days after CBS’ 60 Minutes reported that several previous Brazilian power failures were caused by computer hackers.
For several years there have been underground rumors of organized criminals attempting to extort money in exchange for not turning off power grids. The capability to do this exists as the electronic security of girds in the U.S. and around the world is extremely weak. This is asymmetrical warfare–the resources and effort required to inflict damage is minimal compared to the devastation caused. And, it is very difficult to prove what really happened or to definitively identify the source of the attack. These are perfect conditions for organized crime, nation states and terrorists.
The National Academy of Science has published two major studies on cyberspace security, or more appropriately, our lack of it. The contents of these dense, authoritative research reports should shock us into immediate action. The opening paragraph says: “The United States faces real risks that adversaries will exploit vulnerabilities in the nation’s critical information systems, thereby causing considerable suffering and damage.”
At a minimum, senior-level executives should be calling their corresponding equals at their electric utility provider and grilling them on the physical and logical security of the utility’s generation, transmission and distribution control systems. The government quietly started this process several years ago, and calls from major customers will greatly accelerate the process of rapidly tightening control-system security.
Even if the Brazil blackout is ultimately traced to equipment failures or human error, this incident should be a national and world wake-up call. Much of what is needed can’t be purchased as a product. What is required is a mental mind shift. Every individual and institution needs to get back to deterrence basics. Just implementing known best practices would significantly reduce the threat of successful cyber attack.
Cybersecurity can’t be delegated or outsourced. This means reviving skills that many organizations have allowed to atrophy or never had. And the problem is similar to the military, which typically prepares a strategy for winning the last war–except the bad guys study the same books and intuitively change their attack because newer technology costs them so little.
