The Wall Street Journal reported on one of those last month – that in 2013, Iranian hackers infiltrated the control system of a dam in Rye, N.Y., just 20 miles outside of New York City.
And the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said recently that it had received reports of 295 incidents involving critical infrastructure in the 2015 fiscal year, up from 245 in the previous year, or 20.4 percent.
Robert M. Lee, cofounder, Dragos Security; former U.S. Air Force cyber warfare operations officer
None of these intrusions have resulted in a known cyber attack that has taken down even a portion of the grid yet. But Robert M. Lee, cofounder of Dragos Security and a former U.S. Air Force cyber warfare operations officer, told the AP that if relations between Iran and the U.S. degrade, “and Iran wants to target these facilities, if they have this kind of information it will make it a lot easier.”
That does not mean he thinks Armageddon is at hand, however. Lee told CSO that even with that kind of access, he doubts attackers could, “control the operations networks or damage infrastructure enough to keep power down for longer than a few hours.”
Jeremy Scott, senior research analyst at Solutionary, has a similar view. “The threat is real and serious – we are highly dependent on critical infrastructure for our daily lives and it would have a significant impact,” he said, “but it would not be the crippling blow that some would think.”
Of course, both Lee and Scott stress that they are speaking in the present tense. The possible damage from a cyber attack could grow worse if hostile hackers improve their skills over time.
Jeremy Scott, senior research analyst, Solutionary
Mark Gazit, CEO of ThetaRay, agrees that the current threat from hackers is not at the catastrophic level, but believes that as nation-state hackers get more sophisticated, “their reach is definitely getting closer and closer to the mission-critical junctures of ICS operations.”
Meanwhile, the cyber security of ICSs remains notoriously weak – they were originally designed for reliability, not for connectivity, and are difficult to upgrade or replace. “A lot of security problems are baked in,” said Kevin Fu cofounder and chief scientist at Virta Labs.
“It’s legacy hardware and the systems are unusual – it’s not your desktop computer of 2016. Even if you had the budget, they’re hard to buy,” he said.
Indeed, James Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS), famously told CBS’s “60 Minutes” in November 2009, that major electrical generators require a lead time of three or four months just to order them.
Sign up for CIO Asia eNewsletters.