In January, V. Miller Newton, CEO and president of PKWARE, made his annual list of predictions for most likely cyberattacks of the year.
Number 3 on the list: The U.S. electrical grid will be attacked. He’s been making predictions since 2011, and claims 95 percent accuracy so far (he also predicts that healthcare systems were at risk and that smart watches would be hacked).
[ Related: Battling cyberattacks with bombs? ]
“This country’s infrastructure runs on antiquated technology and systems,” he says. “We’ve already seen an electrical power grid hacked in December of last year in Ukraine,” which blacked out 103 cities and partially blacked out an additional 186.
Cyberwarefare isn’t new, but Newton and other security experts expect that these attacks will ratchet up and focus on anything that could cripple the U.S., whether that’s shutting off something like the power grid, utilities, or water, or holding financial institutions or Fortune 500 companies ransom. They also say the slow pace of government reaction isn’t ready to keep up with the race to hack, which can leave the country vulnerable.
“You’re talking about massive disaster. You’re talking about a complete blackout of the whole infrastructure of the United Sates,” says Idan Udi Edry, CEO of Nation-E.
Shutting systems down easier than you think
It’s easy to see why shutting down a power grid would be disruptive. But what might not be obvious is that it can be easy, especially since critical systems are online, says Timothy Carone, a teaching professor in IT, analytics and operations at the University of Notre Dame’s Mendoza College of Business.
“Software gets upgraded just like it does on your computer or iPhone,” says Carone. “You have the same challenges upgrading elements of an electrical grid that you have with a regular computer.”
[ Related: Cybersecurity much more than a compliance exercise ]
So just like a computer or smartphone needs security patch updates, so do networks that run critical systems. If not addressed, those vulnerabilities are a way in for someone who wants to do damage.
“The western world, which is considered to be the leader in technology and innovation is actually the most vulnerable because of the effect of the digital age,” says Edry.
Putting your thermostat or baby cam online as part of the internet of things (IoT) makes them vulnerable to hackers where they wouldn’t have been before, the same is true for any infrastructure system.
“All of those assets and all of those integrations and vulnerabilities are opening themselves up,” says Edry. “These are the most critical points. It’s IoT of the Industrial size.”
And these aren’t a bunch of guys sitting in a basement trying to see how far they can get into someone’s system either. They’re criminal gangs, intelligence agencies or proxies for them, says Carone. And they’re smart.
“Our systems are such that not only can people break into them, but they actually use our system to train people to break into them,” he says. You’ll experience a hack, which is followed by five more. “These aren’t six separate hackers, [rather] it’s clearly one person teaching the other five how to hack in and what to do with the system.”
Holding systems for ransom
In February, Hollywood Presbyterian Medical Center admitted that it paid $17,000 to hackers to get their systems back. These kinds of attacks could be scaled up, says Carone, to cause chaos. Example: hackers take over the electrical grid to a section of a city that includes the headquarters of several Fortune 500 companies along with a residential neighborhood. “[Hackers] can tell each of the companies separately ‘If you want your power restored you need to give us some obscene amount of money and by the way we’ve also cut power to the neighborhoods in your area,'” he says.
Not only will that cost those companies a huge amount of money, but it could pit residents against companies if they are told that the reason they don’t have power is because of their corporate neighbors. In other words: chaos.
Keeping up with the hackers
“This is a new world problem that needs a new world solution,” says Newton. “The world has looked at security over the past 10, 15, 20 years from a perimeter perspective. Keep the bad guys out.”
The mindset, he says, has to change. One way to do that is to protect crucial information by encrypting it so that, even if someone breaks in, “it’s totally innocuous. The hack is like a non-event.”
However, awareness, says Edry, is “very weak.” Decision-makers, especially in government, aren’t giving this issue the attention it needs, and when they do, the response is too slow. He thinks something major will need to happen before the problem gets that attention it deserves.
Because government does move so slow, Carone sees the solution coming from the private sector. “I think you’re going to find practitioners in the field take it upon themselves to generate solutions and try to put that defense posture in place, whether it’s ensuring safety of the electrical grid or the electoral process,” he says. “[Otherwise,] it won’t get done because government just can’t make decisions fast enough.”