Is Australia’s electricity grid vulnerable to the kind of cyber attacks taking place between Russia and the US?



Power grids are high priority targets during conflict.
Shutterstock

Andrew Dowse, Edith Cowan University and Mike Johnstone, Edith Cowan University

The New York Times reported earlier this month that the United States was increasing its cyber attacks on Russia’s power grid. The attacks are seen as a warning against Russian intrusions into US systems, but one that carries a risk of escalation.

The public reporting of previously covert cyber attacks earned a retort from US President Donald Trump, who accused the New York Times journalists of a “virtual act of treason”.

But the story has been useful in generating discussion about the reasons for – and potential consequences of – such actions. It also raises the question of how vulnerable Australia’s power grid is.

So let’s take a look at who is capable of carrying out these kinds of attacks, how they work, and whether Australia is doing enough to protect itself.




Read more:
What’s critical about critical infrastructure?


Are these attacks limited to the US and Russia?

Recent events may be newly reported, but the events themselves aren’t that new. Russian cyber attacks on US infrastructure may have been going on for years. According to the New York Times report, the US may have been undertaking similar intrusions in Russia since 2012.

While the story is limited to discussing cyber conflict between the US and Russia, there are many nation states with the ability to carry out such attacks.

To make things more complex, non-government actors can also launch cyber attacks. That includes individuals, organised crime groups, and proxies for nation states.

Why are we learning about this now?

When we talk about cyber security, and how to defend against threats from nation states, we’re usually talking about protecting confidential information. But when it comes to power grids, confidentiality isn’t particularly important. What is important is continuity of service, also called “availability”.

An adversary’s power availability would be a high-priority target during a conflict. Outside of conflict, the only logical rationale for a nation state to intrude on such systems would be to undertake reconnaissance and deploy malware that can remain dormant until needed.

In this regard, it doesn’t make sense that the US would intentionally leak its efforts, as appears to have been the case. It would prompt Russia to find the malware and, by disclosing intrusion techniques, it would “burn capabilities”.

Additionally, evidence of attacks could lead to an escalation of cyberwar between the US and Russia. Escalation is unlikely as long as responses to counter cyber attacks are undertaken in line with the principles of necessity and proportionality. But the uncertainty of attribution and consequences creates a potential for miscalculation in conducting cyber attacks.

The New York Times article was notable because it suggested the US president gave his commanders authorisation to undertake cyber attacks without his oversight. To avoid miscalculation, a balance is needed between a speedy response in cyber “active defence” and the kind of proper deliberation that will ensure the response is appropriate.

To date, there is no evidence that nation-state delivered attacks have resulted in power outages in the US or Russia. The apparent leak to the New York Times may not relate to a specific counterattack against the Russian power grid. Instead, it may be a form of diplomacy intended to signal US willingness and capability to counterattack.




Read more:
Internet of Things: when objects threaten national security


How are such attacks possible?

Critical infrastructure is a term that refers to chemical production plants, power stations, oil platforms, and water pump stations. The technology that operates such infrastructure is called “operational technology” (OT). OT is a cyber-physical system that controls electricity generators and valves that mix chemicals in vats or transfer gas through pipelines.

To understand the threat, it helps to contrast OT with information technology (IT).

Confidentiality is a primary consideration for IT staff, who are focused on securing data from threats. They are well practised in patching vulnerable systems under their control. In an OT environment, availability is the primary driver, so keeping the plant working is considered more important than protecting against cyber threats.

Another difference between the IT and OT worlds is the lifetime of assets. OT system devices are built to last a long time before replacement. Using legacy OT technology that still works in itself is not a problem, as long as that technology is separated from other systems.

But the IT and OT worlds are converging to enable remote control and access to real-time plant operating data. Aside from the tension between priorities of confidentiality and availability, this convergence opens up OT vulnerabilities to attack.

When OT systems were developed decades ago, there was little thought of security, since most systems were only accessible on-site or through dedicated networks. With IT-OT convergence, keeping systems secure becomes a priority, but not at the expense of availability. Stopping a system, either for an update or due to a cyber attack, results in lost revenue and impact upon customers who could, for instance, lose power to their homes.

Have we seen successful attacks in the past?

Cyber attacks on Ukrainian power stations in 2015 and 2016 affected more than 200,000 customers, and provided lessons for the rest of us.

These events showed that an attack was more than just theoretical in the domain of energy systems. Engineers needed to physically visit each substation to return systems to operation.

As similar technology is used worldwide, the power grids of other nations are potentially vulnerable. Additionally, the malware used to command and control attacks is increasingly available for hire as cyber crime moves to a service-based model. And more sophisticated tools mean attackers require less skill to locate and attack internet connected devices.




Read more:
Why we should be wary of expanding powers of the Australian Signals Directorate


How vulnerable is Australia’s power grid?

In 2016, Australia’s Chief Scientist Alan Finkel released a review into the future security of the national electricity market. Following advice that the cyber threat to the national energy market was increasing, Finkel recommended stronger security measures be put in place.

By 2017, some action had been initiated to mitigate threats in the energy sector. Subsequently the Security of Critical Infrastructure Act 2018 was passed. The Act contains elements to help the government better appreciate the risk and to make certain directions to service providers to increase security.

The government is reportedly considering a proposal to enable the Australian Signals Directorate (ASD) to access the networks of companies operating critical infrastructure to defend them against cyber attacks.

In 2018, the Australian Energy Market Operator (AEMO) released the first annual report into the cyber preparedness of the market, identifying that current provisions are inadequate. AEMO has established a framework for operators to assess their security maturity, and strengthen measures.

Notwithstanding these efforts, recent reports suggest the number of attacks on critical infrastructure is growing. Meanwhile, the ability to prevent, detect or respond to these attacks remains low.

For many critical infrastructure systems, OT is a sunk investment that would be expensive to replace. Implementing substantial security improvements to upgrade the legacy energy environment will also be expensive, and it’s likely that costs will be passed onto customers. But there are cost-effective ways of improving security, including threat/vulnerability system monitoring. Some companies in Australia are doing this.

Cyber warfare is a reality. We should expect that cyber criminals and nation states adversaries could have some impact our lives in future by attacking critical infrastructure, such as the electricity grid.

Securing our infrastructure is a priority for the government and increasingly recognised as such by the market participants. The cost and need for security mitigations may seem unpalatable to many, but steps need to be taken to prevent a return to the dark ages.The Conversation

Andrew Dowse, Director, Defence Research and Engagement, Edith Cowan University and Mike Johnstone, Security Researcher, Associate Professor in Resilient Systems, Edith Cowan University

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Advertisements

Australia is vulnerable to a catastrophic cyber attack, but the Coalition has a poor cyber security track record


Greg Austin, UNSW

This article is part of a series examining the Coalition government’s record on key issues while in power and what Labor is promising if it wins the 2019 federal election.


The government’s chief cyber security coordinator, Alastair McGibbon, told an audience of specialists in November 2018 that the prospect of a catastrophic cyber incident is:

the greatest existential threat we face as a society today.

Using a nautical metaphor, he said such an event was not far off on the horizon, but could be on the next wave. He cited what one technology expert called the most devastating cyber attack in history, the NotPetya attack in 2017. NotPetya was a random attack on a single day that cost one Danish global company more than A$400 million dollars.

The latest dire warning from the government is appropriate, yet its policy responses have not quite matched the challenge – or their own commitments.




Read more:
Should cyber officials be required to tell victims of cyber crimes they’ve been hacked?


Cyber security is everyone’s business

The government is 16 months into a departmental reorganisation in order to deliver better cyber security responses, especially through the new Home Affairs Department. That department has been very busy with everyday skirmishes in the escalating confrontations of cyberspace – from Huawei and 5G policy, to foreign cyber attacks on Australian members of parliament.

But Home Affairs is not the only department with a broad responsibility in cyber security policy. On the military side, the Defence Organisation has moved decisively and with discipline. In 2017, it announced the creation of a 1,000-strong joint cyber unit to be in place within a decade. It also announced increased funding to expand the number of people working in civilian defence roles on cyber operations.

Another department with potentially heavy responsibilities is the Department of Education, working with universities, the TAFE sector and schools. Unfortunately, it appears to be missing in action when it comes to cyber security.

Key plans have stalled

In April 2016, Prime Minister Turnbull released a National Cyber Security Strategy. It included commitments to grow the cyber workforce (especially for women), expand the cyber security industry and undertake annual reviews of the strategy itself.

But in key places the ambitious plans appear to have stalled or fallen short. As a result of the Turnbull overthrow, the post of Minister for Cyber Security – which was only created two years previously – disappeared. The 2018 annual review of the strategy was not released, if it took place at all. The annual threat report of the Australian Centre for Cyber Security (ACSC) did not appear in 2018 either.

In November 2018, AustCyber, an industry growth centre that is one good outcome of the 2016 strategy, published its second Sector Competitiveness Plan. Typical of government funded agencies, it reports much good news. Australia is indeed an international powerhouse of cyber security capability. What is unclear from the report is whether the government’s 2016 strategy has much to do with that.




Read more:
Why international law is failing to keep pace with technology in preventing cyber attacks


Where we’re falling short

One indicator that we’re off-track is the fact the AustCyber report of 2018 has no data on the participation of women in the sector after 2016. Reports from the decade prior to 2016 showed a decline from 22% down to 19%, but the government does not appear to be tracking this important commitment after it was made.

In other bad news, the AustCyber report concludes that the education and workforce goals remain unfulfilled. It is hard to estimate how badly, since the initial strategy of April 2016 set no baselines or metrics. AustCyber now assesses that:

the skills shortage in Australia’s cyber security sector is more severe than initially estimated and is already producing real economic costs.

On the government’s commitment to increase the cyber workforce, AustCyber reports growth over the previous two years of 7% – roughly 3.5% per year. But it probably needs to be of the order of 10% per year for a full ten years if the gap identified by the report is to be met:

The latest assessment indicates Australia may need up to 17,600 additional cyber security workers by 2026 …

The government has provided $1.9 million over four years to promote university cyber security education in two Australian universities. That amount is so small it might not even be called a drop in the ocean. As AustCyber suggests, though in muted language, Australia does have huge resourcing holes in our cyber security education capability.

The most important gap in my view is the near total lack of university degree programs or professional education in advanced cyber operations, the near total lack of technical education facilities to support such programs, such as advanced cyber ranges, and a weakly developed national capability for complex cyber exercises.

What we should be doing

In 2018, I argued at a national conference sponsored by the government that Australia needs a national cyber war college, and a cyber civil reserve force, to drive our human capital development. I suggested at the time the college should be set up with a budget of A$100 million per year. Based on a recent international research workshop at UNSW Canberra, I have changed my estimate of cost and process.

Australia needs a cyber security education fund with an initial investment of around A$1 billion to support a new national cyber college. It should be networked around the entire country, and independent of control by any existing education institutions, but drawing on their expertise and that of the private sector.

It would serve as the battery of the nation for cyber security education of the future.




Read more:
The public has a vital role to play in preventing future cyber attacks


Labor isn’t offering a better alternative

The Labor Party, through its cyber spokesperson Gai Brodtmann, has been critical of the government’s failure to fill the gaps. But she is retiring from the House of Representatives at the next election.

Labor has no well developed policies, and no budget commitments, that can address the gaps. There is even reason to believe the party doesn’t have a front bench that is engaged with the scope of the challenge. None of them seem to be as technologically oriented as Turnbull, the last cyber champion the Australian parliament may see for a while.The Conversation

Greg Austin, Professor UNSW Canberra Cyber, UNSW

This article is republished from The Conversation under a Creative Commons license. Read the original article.

The public has a vital role to play in preventing future cyber attacks



File 20180417 101464 vorjds.jpg?ixlib=rb 1.1
Numerous cyber attacks in recent years have targeted common household devices, such as routers.
Shutterstock

Sandeep Gopalan, Deakin University

Up to 400 Australian organisations may have been snared in a massive hacking incident detailed today. The attack, allegedly engineered by the Russian government, targeted millions of government and private sector machines globally via devices such as routers, switches, and firewalls.

This follows a cyber attack orchestrated by Iranian hackers revealed last month, which targeted Australian universities.




Read more:
Explainer: how internet routers work and why you should keep them secure


A joint warning by the US and UK governments stated that the purpose of the most recent attack was to:

… support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.

The Russians’ modus operandi was to target end-of-life devices and those without encryption or authentication, thereby compromising routers and network infrastructure. In doing so, they secured legitimate credentials from individuals and organisations with weak password protections in order to take control of the infrastructure.

Cyber attacks are key to modern conflict

This is not the first instance of Russian aggression.

The US city of Atlanta last month was crippled by a cyber attack and many of its systems are yet to recover – including the court system. In that case, attackers used the SamSam ransomware, which also uses network infrastructure to infiltrate IT systems, and demanded a ransom payment in Bitcoin.

Baltimore was hit by a cyber attack on March 28 that disrupted its emergency 911 calling system. Russian hackers are suspected to have taken down the French TV station TV5Monde in 2015. The US Department of State was hacked in 2015 – and Ukraine’s power grid and military infrastructure were also compromised in separate attacks in 2015 and 2017.

But Russia is not alone in committing these attacks.

In December 2017, North Korean hackers were blamed for the WannaCry attack that infected over 300,000 computers in 150 countries, affecting hospitals and banks. The UK’s National Health Service was particularly bruised and patients had to be turned away from surgical procedures and appointments.

Iran has conducted cyber attacks against numerous targets in the US, Israel, UAE, and other countries. In turn, Iran was subjected to a cyber attack on April 7 that saw computer screens display the US flag with the warning “don’t mess with our elections”.

Prosecuting hackers is ineffective

The US government has launched prosecutions against hackers – most recently against nine Iranians for the cyber attacks on universities. However, prosecutions are of limited efficacy when hackers are beyond the reach of US law enforcement and unlikely to be surrendered by their home countries.

As I have written previously, countries such as Australia and the US cannot watch passively as rogue states conduct cyber attacks against targets within our jurisdiction.




Read more:
Is counter-attack justified against a state-sponsored cyber attack? It’s a legal grey area


Strong countermeasures must be taken in self defence against the perpetrators wherever they are located. If necessary, self defence must be preemptive – any potential perpetrators must be crippled before they are able to launch strikes on organisations here.

Reactive measures are a weak deterrent, and our response should include a first strike cyber attack option where there is credible intelligence about imminent attacks. Notably, the UK has threatened to use conventional military strikes against cyber attacks. This may be an overreaction at this time.

Educating the public is essential

Numerous cyber attacks in recent years – including the current attack – have targeted common household devices, such as routers. As a result, the security of public infrastructure relies to some extent on the security practices of everyday Australians.

So, what role should the government play in ensuring Australians are securing their devices?

Unfortunately, cybersecurity isn’t as simple as administering an annual flu shot. It’s not feasible for the government to issue cybersecurity software to residents since security patches are likely to be out-of-date before the next attack.

But the government should play a role in educating the public about cyber attacks and securing public internet services.

The city of New York has provided a free app to all residents called NYC Secure that is aimed at educating people. It is also adding another layer of security to its free wifi services to protect users from downloading malicious software or accessing phishing websites. And the city of Jonesboro, Georgia is putting up a firewall to secure its services.




Read more:
Artificial intelligence cyber attacks are coming – but what does that mean?


Australian city administrations must adopt similar strategies alongside a sustained public education effort. A vigilant public is a necessary component in our collective security strategy against cyber attacks.

This cannot be achieved without significant investment. In addition to education campaigns, private organisations – banks, universities, online sellers, large employers – must be leveraged into ensuring their constituents do not enable attacks through end-of-life devices, unsupported software, poor password protection policies and lack of encryption.

Governments must also prioritise investment in their own IT and human resources infrastructure. Public sector IT talent has always lagged the private sector due to pay imbalances, and other structural reasons.

It is difficult for governments to attain parity of technical capabilities with Russian or North Korean hackers in the short term. The only solution is a strong partnership – in research, detection tools, and counter-response strategies – with the private sector.

The ConversationThe Atlanta attack illustrates the perils of inaction – an audit report shows the city was warned months in advance but did nothing. Australian cities must not make the same mistake.

Sandeep Gopalan, Pro Vice-Chancellor (Academic Innovation) & Professor of Law, Deakin University

This article was originally published on The Conversation. Read the original article.

Is counter-attack justified against a state-sponsored cyber attack? It’s a legal grey area



File 20180327 188616 1ccmbhv.jpg?ixlib=rb 1.1
The US has charged and sanctioned nine Iranians and an Iranian company for cyber attacks.
Parmida Rahimi/Flickr, CC BY-SA

Sandeep Gopalan, Deakin University

On March 23, the US Department of Justice commenced perhaps the largest prosecution of a state-sponsored cyber attack. It indicted nine Iranians for carrying out:

a coordinated campaign of cyber intrusions into computer systems belonging to 144 US universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector companies … [and] the United Nations…

At least 31.5 terabytes of data was allegedly stolen and Australian universities were targeted, although specific institutions are not named.

History suggests that this response is unlikely to deter future attacks, and that counter-attacks are a more effective strategy. But would it be justified? Current international law focuses on armed attack, not cyber attack as a justification for state action taken in self-defence.

As cyber attacks become more common, international law needs to clear up this grey area.

How they did it and what was taken

The indictment alleges that defendants Gholamreza Rafatnejad and Ehsan Mohammadi are founders of Mabna Institute – an organisation established for the purpose of scientific espionage. Mabna is alleged to have contracted with Iranian governmental agencies (including the Islamic Revolutionary guard) to conduct hacking on their behalf.




Read more:
Following the developing Iranian cyberthreat


The defendants allegedly engaged in a conspiracy to compromise computer accounts of thousands of professors to steal research data and intellectual property, costing the US approximately US$3.4 billion. They allegedly conducted surveillance and sent professors targeted “spearphishing” emails to lure them into providing access to their computer systems.

Valuable data was transferred from the compromised IT systems to the hackers, according the the indictment. Over 100,000 professors were apparently targeted and approximately 8,000 email accounts compromised.

Private companies were also targeted – none Australian – via “password spraying”, said the US Department of Justice. This is a technique whereby the attacker identifies the email accounts of a target via public search and gains access to the account using common or default passwords.

Prosecution is an insufficient response

The defendants are charged with committing fraud and related activity in connection with computers, conspiracy, wire fraud, unauthorised access of a computer, and identity theft. Each charge carries a prison sentence ranging from two years to 20 years.

The prosecution is a necessary, but insufficient response to these cyber attacks.

The defendants are based in Iran and are unlikely to be brought to justice. Previously, US prosecutors have charged Iranian hackers with attacks against financial institutions and a dam in New York to no avail.

And hacking has escalated – the US accused Russia of compromising the US electricity grid and attacks against other countries are also alleged.

Counter-attack a better deterrent

Rogue states such as Iran, Russia, and North Korea are only likely to be deterred against conducting cyber attacks if their targets have robust self-defense and counter-attack capabilities. However, the legal status of cyber attacks and the appropriate responses are not clear in international law.

Under the UN Charter, states have an obligation to refrain “from the threat or use of force against the territorial integrity or political independence of any state”. Crucially, states possess an “inherent right of individual or collective self-defence if an armed attack occurs”.




Read more:
Cybersecurity of the power grid: A growing challenge


The key questions then are whether a cyber attack amounts to a “use of force”, whether hacking attributable to a state amounts to an “armed attack”, and if a cyber attack violates “territorial integrity”. Traditionally, international law has answered these questions with reference to acts of physical violence – conventional military strikes.

It’s likely that a large scale cyber attack against a state that has physical consequences within its territory may be characterised as a “use of force”, and may violate “territorial integrity” under the charter. For instance, attacks that turn self-driving cars into weapons, knock out nuclear stations or paralyse the power grid might reach this threshold.

But what if the attack is designed to sow confusion or generate internal discord, such as in the case of Russian hacking of the US election? Or attacks directed beyond a particular country? This is a harder question and not settled currently. Similarly, it’s not certain that even large scale hacking would rise to the level of an “armed attack”.

Precedent in international law

In 1984, Nicaragua brought proceedings against the US in response to American support for the Contras (rebels fighting the government). In that case, the International Court of Justice (ICJ) opined that armed attack might also include:

the sending by a State of armed bands on to the territory of another State, if such an operation, because of its scale and effects, would have been classified as an armed attack had it been carried out by regular armed forces.

Crucially, the ICJ underlined the principle of non-intervention:

Intervention is wrongful … [using] methods of coercion, particularly force, either in the direct form of military action or in the indirect form of support for subversive activities in another State.

Based on the Nicaragua case, if a cyber attack has sufficient “scale and effects” it may amount to an armed attack. More importantly, if the attacks are attributable to a state (in this case the Islamic Revolutionary Guard) – or are within its overall or effective control or direction – it would appear that the armed attack would give rise to the right to self-defence.




Read more:
Cyber peacekeeping is integral in an era of cyberwar – here’s why


However, this may be difficult to establish in practice – there may not be sufficient evidence connecting the hacker to the state to show control, and hence attribution.

So, what are the permissible self-defence responses under international law? Could the US launch military strikes against Iran or Russia for these incidents if they are found to be behind these attacks? The legality of such strikes is not clear even though the US might claim such status.

The ConversationThe international community should set bright line rules on this matter before an expansive reading of self-defence triggers war. The NATO Cooperative Cyber Defence Centre of Excellence’s Tallinn Manual 2.0 is a start, but a binding instrument is needed. John Bolton’s appointment as US President Donald Trump’s National Security Advisor makes this an urgent priority because a military strike in response to the next major cyber attack is a realistic prospect.

Sandeep Gopalan, Pro Vice-Chancellor (Academic Innovation) & Professor of Law, Deakin University

This article was originally published on The Conversation. Read the original article.